Ajax using https on an http page

Asked 9/7, 2009 at 19:18 Answered 12/9, 2011 at 13:51

101

My site uses http and https protocol; it doesn't affect the content. My site uses jQuery ajax calls, which fills some areas on the page, too.

Now, I would like to do all ajax calls over https. (please dont ask me why :)) When I am on a page with https protocol, ajax requests are working. When I'm on a page with http protocol, I get a javascript error: Access to restricted URI denied

I know that this is a cross domain problem (in fact, it's a cross protocol problem), and I know that I should use the same protocol in ajax calls as on the current page.

Still, I want to all ajax calls to be https, and call them on a page that was served over http. Is there any workaround to achieve this (some json/proxy solution?), or is it simply impossible?

Resale answered 9/7, 2009 at 19:18 Comment(4)

Why not match the ajax to the loading page protocol? – Grasshopper 9/7, 2009 at 19:22

They specifically said "Please don't ask me why." – Pemphigus 13/4, 2011 at 16:30

Why do you need AJAX with HTTPS though..... – Portiaportico 26/3, 2014 at 23:3

For example for a more dynamical checkout form which is connecting to a payment gateway like paypal in the background so people can see what is happening.. Just one of more possibilities – Wilding 5/2, 2015 at 22:0

Add the Access-Control-Allow-Origin header from the server

Access-Control-Allow-Origin: https://www.mysite.com

http://en.wikipedia.org/wiki/Cross-Origin_Resource_Sharing

Pierce answered 10/5, 2011 at 17:4 Comment(2)

Great respond - but not supported by some used browsers like Opera (not at all) and Internet Explorer (supported since version 8) caniuse.com/#search=cors – Geraldine 27/9, 2011 at 12:8

Seems like Opera supports it now: en.wikipedia.org/wiki/… Only not Opera Mini though... – Regularly 5/3, 2014 at 11:7

Try JSONP.

most JS libraries make it just as easy as other AJAX calls, but internally use an iframe to do the query.

if you're not using JSON for your payload, then you'll have to roll your own mechanism around the iframe.

personally, i'd just redirect form the http:// page to the https:// one

Once answered 9/7, 2009 at 19:58 Comment(4)

hmm i have tried jquery .ajax with jsonp:'jsonp_callback' option set, but still same js error. – Resale 9/7, 2009 at 20:18

maybe you have to add the callback parameter in the URL – Once 10/7, 2009 at 3:47

@Resale Does the endpoint you're sending the query to support JSONP in the first place? – Receivership 2/1, 2014 at 3:49

For the sake of my sanity I'm going to go with your last option... Simple redirect to https: – Retractor 13/5, 2016 at 20:4

http://example.com/ may resolve to a different VirtualHost than https://example.com/ (which, as the Host header is not sent, responds to the default for that IP), so the two are treated as separate domains and thus subject to crossdomain JS restrictions.

JSON callbacks may let you avoid this.

Tricho answered 9/7, 2009 at 19:24 Comment(3)

dead link on JSON callbacks :( – Piatt 8/7, 2019 at 21:42

@Piatt This answer is ten years old tomorrow, and broken links are why we ask that questions include enough information to survive one. – Tricho 9/7, 2019 at 0:16

just noticed the 10 years ha... and yes good point. Its okay, will google around for this one & edit answer if I find anything – Piatt 9/7, 2019 at 0:29

Check out the opensource Forge project. It provides a JavaScript TLS implementation, along with some Flash to handle the actual cross-domain requests:

http://github.com/digitalbazaar/forge/blob/master/README

In short, Forge will enable you to make XmlHttpRequests from a web page loaded over http to an https site. You will need to provide a Flash cross-domain policy file via your server to enable the cross-domain requests. Check out the blog posts at the end of the README to get a more in-depth explanation for how it works.

However, I should mention that Forge is better suited for requests between two different https-domains. The reason is that there's a potential MiTM attack. If you load the JavaScript and Flash from a non-secure site it could be compromised. The most secure use is to load it from a secure site and then use it to access other sites (secure or otherwise).

Please answered 22/7, 2010 at 20:11 Comment(0)

You could attempt to load the the https page in an iframe and route all ajax requests in/out of the frame via some bridge, it's a hackaround but it might work (not sure if it will impose the same access restrictions given the secure context). Otherwise a local http proxy to reroute requests (like any cross domain calls) would be the accepted solution.

Tabard answered 9/7, 2009 at 19:22 Comment(2)

After reading this thread, I'd stick with JSONP dslreports.com/forum/r21425467-IFrame-With-HTTPS-on-HTTP-Page – Tibia 17/2, 2011 at 14:13

This can be done, but be sure to set P3P headers if you need sessions cookies from the iFrame... otherwise MSE will say "nu uh uh" – Linger 24/5, 2013 at 18:10

Here's what I do:

Generate a hidden iFrame with the data you would like to post. Since you still control that iFrame, same origin does not apply. Then submit the form in that iFrame to the ssl page. The ssl page then redirects to a non-ssl page with status messages. You have access to the iFrame.

Zolly answered 12/9, 2011 at 13:51 Comment(1)

This can be done, but be sure to set P3P headers if you need sessions cookies from the iFrame... otherwise MSE will say "nu uh uh" – Linger 24/5, 2013 at 18:9

Recommended topics

Hot tags