stackoom
  简体   繁体   中英

Https to http request

 原文  2016-12-14 08:03:02       javascript/ ajax/ https/ cross-domain

Question

I am confused about these protocols. which requests are available in case of using these protocols:

  • HTTP to HTTP
  • HTTPS to HTTP
  • HTTP to HTTPS
  • HTTPS to HTTPS

I have a domain in HTTPS and a sub-domain in HTTP. Can I request from HTTPS to HTTP (POST and GET ) to retrieve data?

for example:

$.getJSON('http://api.domainName.com/api/Visitor/GetStates/' + countryId, function(data) {
  $.each(data, function(key, value) {
    $("#StateId").html($("#StateId").html() +
      "<option value='" +
      value.StateId +
      "'>" +
      value.StateName +
      "</option>"
    );
  });
}

this request is sent from: https://domainName.com/

Whats more I solved CORS problem in sub-domain.

3 answers

solution1
 1  2016-12-14 08:08:13

您还需要将 Ajax 请求切换到 https。

solution2
 1  2020-11-08 19:11:32

Well you can't browser will block any resources ( scripts , link , iframe , XMLHttpRequest, fetch ) to download if original html page is in https and request resources are in http.

Browser throws an Mixed Content error.

Snippet from Mozilla MDN

Mixed active content is content that has access to all or parts of the Document Object Model of the HTTPS page. This type of mixed content can alter the behavior of the HTTPS page and potentially steal sensitive data from the user. Hence, in addition to the risks described for mixed display content above, mixed active content is vulnerable to a few other attack vectors.

In the mixed active content case, a man-in-the-middle attacker can intercept the request for the HTTP content. The attacker can also rewrite the response to include malicious JavaScript code. Malicious active content can steal the user's credentials, acquire sensitive data about the user, or attempt to install malware on the user's system (by leveraging vulnerabilities in the browser or its plugins, for example).

The risk involved with mixed content does depend on the type of website the user is visiting and how sensitive the data exposed to that site may be. The webpage may have public data visible to the world or private data visible only when authenticated. If the webpage is public and has no sensitive data about the user, using mixed active content still provides the attacker with the opportunity to redirect the user to other HTTP pages and steal HTTP cookies from those sites.

Useful documentation links

MDN - https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content

Google developers - https://developers.google.com/web/fundamentals/security/prevent-mixed-content/what-is-mixed-content

solution3
 0  2016-12-14 08:10:15

http://api.domainName.com/api/Visitor/GetStates/接口添加标题“Access-Control-Allow-Origin:*”

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question HTTPS to HTTP JSONP request AngularJS $http request issue in HTTP and HTTPS http request has been block from https How to make a jQuery http -> https AJAX request Fetch request to http address from a https website HTTP Ajax Request via HTTPS Page HTTPS endpoint request returns as Mixed Content HTTP AJAX Request From HTTPS Page to HTTP Url http (not https) post request in vanilla js HTTP Get Request returning error of HTTPS
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM