如何从 HTTPS 网站发出 HTTP 请求？

Question

I have a website which is on HTTPS, and I want to make a GET request to an HTTP port. At the moment when I try I get these errors:

cannot load ${url} due to access control checks.

this page was not allowed to display insecure content from ${http-url}

I have thought about putting the request in an AWS lambda function and calling the labmda function because that will give me an HTTPS URL? Is this possible.

Even so, I want to know what the easiest way of doing it is, as I don't know much about AWS so I would have to learn it.

const url = 'http://website/fmi/xml/fmresultset.xml?-dbnames';

var xhttp = new XMLHttpRequest(); 
xhttp.onreadystatechange = function (params) { 
  console.log(xhttp.status); 
  if (xhttp.readyState ==4) { 
    if (xhttp.status == 200) { 
      console.log('===='); 
      console.log(xhttp.responseText); 
    } 
  } 
} 
xhttp.open("GET", url, true); 
xhttp.send();

Answer 1

Well you can't browser will block any resources ( scripts , link , iframe , XMLHttpRequest, fetch ) to download if original html page is in https and request resources are in http.

Browser throws an Mixed Content error.

Snippet from Mozilla MDN

Mixed active content is content that has access to all or parts of the Document Object Model of the HTTPS page. This type of mixed content can alter the behavior of the HTTPS page and potentially steal sensitive data from the user. Hence, in addition to the risks described for mixed display content above, mixed active content is vulnerable to a few other attack vectors.

In the mixed active content case, a man-in-the-middle attacker can intercept the request for the HTTP content. The attacker can also rewrite the response to include malicious JavaScript code. Malicious active content can steal the user's credentials, acquire sensitive data about the user, or attempt to install malware on the user's system (by leveraging vulnerabilities in the browser or its plugins, for example).

The risk involved with mixed content does depend on the type of website the user is visiting and how sensitive the data exposed to that site may be. The webpage may have public data visible to the world or private data visible only when authenticated. If the webpage is public and has no sensitive data about the user, using mixed active content still provides the attacker with the opportunity to redirect the user to other HTTP pages and steal HTTP cookies from those sites.

Useful documentation links

MDN - https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content

Google developers - https://developers.google.com/web/fundamentals/security/prevent-mixed-content/what-is-mixed-content

Answer 2

Don't use Ajax calls as they are restricted by browser. You can safely use Server call with Server side Language like php node.js ,Asp.net etc