JavaScript cross-domain call: call from HTTP to HTTPS

javascript ajax http cross-domain .net-4.0

I need to make an asynchronous call to a secure (HTTPS) URL for the same domain.

Currently the page is working with regular HTTP (non-secure).

In other words: this is calling an URL in the same domain but using HTTPS.

Before switching this calls to HTTPS I ended implementing a server-side proxy to allow cross-domain AJAX calls, but now I'm facing same origin policy since HTTP and HTTPS are considered different origins too. So this proxy is unusable.

Summary: how to do cross-domain, asnynchronous POST requests in this scenario?

Various notes:

  • I couldn't accept any answer suggesting JSONP. Asynchronous calls must be using POST verb.
  • I'm using latest version of jQuery. Answer could be based on this library, or any other solving this problem.
  • Accessing the entire page over HTTPS isn't a solution.
  • Server platform is Microsoft .NET 4.0 (ASP.NET 4.0).
  • UDPATE: CORS isn't an option. There's no wide support for this in modern browsers.

Solution 1:

First of all, I've +1 both questions from @missingo and @PiTheNumber.

After spending a lot of hours, I've arrived to the conclusion I'm going to switch the entire page to HTTPS. That's because:

  • Most moderns browsers support CORS, but Internet Explorer, starting from 8th version has a proprietary implementation (XDomainRequest object), which may be disabled in some computers (mine had cross-domain request disabled by default in Internet security zone).

    • Opera doesn't support CORS. 12th version will support it, but this isn't an option as users should adopt this new version first, and this won't be in 2 days.

    • I need to do cross-domain requests since Web client application must request a RESTful service layer located in another domain. No way.

    • Switching everything to HTTPS makes the service layer proxy approach work again (this is the expected behavior).

Thanks anyway because both answer have helped me a lot for arriving to this conclusion.

UPDATE

@Sam has added a comment that could be interesting for anyone. It's about how to get CORS in Internet Explorer 8 and 9 (see #7): http://blogs.msdn.com/b/ieinternals/archive/2010/05/13/xdomainrequest-restrictions-limitations-and-workarounds.aspx

Solution 2:

I am using Access-Control-Allow-Origin. You just send the header and you are fine.

See also AJAX, Subdomains, and SSL

Solution 3:

You should reconsider accessing the whole page over HTTPS or at least be really sure this is not feasible.

By loading the initial page and script over HTTP the user has no security guarantee that the script is the one you originally intended to send and is not being manipulated by a third party (by, for example, keylogging his password). This means that any HTTPS request that bypasses the SOP will not provide the same security guarantees as a HTTPS request from a page originally served over HTTPS.

Solution 4:

Has anyone looked at:

https://github.com/jpillora/xdomain

It uses postMessage and iframes to achieve cors requests, and is cross browser (no need for teeth clenching XDomainRequests in IE).

Perhaps it will allow cross protocol cors requests?

Related

Using AND with the apply function in Scheme
Get single listView SelectedItem
Half - fences and full fences? [duplicate]
How is % special in crontab?
Extracting words from a string, removing punctuation and returning a list with separated words
How to find the comment tag <!--...--> with BeautifulSoup?
Python code generation with pyside-uic
How to cancel queued job in Laravel or Redis
When is explicit move needed for a return statement?
Modify object in python multiprocessing
FtpClient storeFile always return False
Pathname too long to open?