stackoom
  简体   繁体   中英

How can I make an HTTP request from an HTTPS website?

 原文  2018-11-08 15:48:23       javascript/ http/ https/ aws-lambda

Question

I have a website which is on HTTPS, and I want to make a GET request to an HTTP port. At the moment when I try I get these errors:

cannot load ${url} due to access control checks.

this page was not allowed to display insecure content from ${http-url}

I have thought about putting the request in an AWS lambda function and calling the labmda function because that will give me an HTTPS URL? Is this possible.

Even so, I want to know what the easiest way of doing it is, as I don't know much about AWS so I would have to learn it.

const url = 'http://website/fmi/xml/fmresultset.xml?-dbnames';

var xhttp = new XMLHttpRequest(); 
xhttp.onreadystatechange = function (params) { 
  console.log(xhttp.status); 
  if (xhttp.readyState ==4) { 
    if (xhttp.status == 200) { 
      console.log('===='); 
      console.log(xhttp.responseText); 
    } 
  } 
} 
xhttp.open("GET", url, true); 
xhttp.send();

2 answers

solution1
 4  2018-11-09 15:42:08

Well you can't browser will block any resources ( scripts , link , iframe , XMLHttpRequest, fetch ) to download if original html page is in https and request resources are in http.

Browser throws an Mixed Content error.

Snippet from Mozilla MDN

Mixed active content is content that has access to all or parts of the Document Object Model of the HTTPS page. This type of mixed content can alter the behavior of the HTTPS page and potentially steal sensitive data from the user. Hence, in addition to the risks described for mixed display content above, mixed active content is vulnerable to a few other attack vectors.

In the mixed active content case, a man-in-the-middle attacker can intercept the request for the HTTP content. The attacker can also rewrite the response to include malicious JavaScript code. Malicious active content can steal the user's credentials, acquire sensitive data about the user, or attempt to install malware on the user's system (by leveraging vulnerabilities in the browser or its plugins, for example).

The risk involved with mixed content does depend on the type of website the user is visiting and how sensitive the data exposed to that site may be. The webpage may have public data visible to the world or private data visible only when authenticated. If the webpage is public and has no sensitive data about the user, using mixed active content still provides the attacker with the opportunity to redirect the user to other HTTP pages and steal HTTP cookies from those sites.

Useful documentation links

MDN - https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content

Google developers - https://developers.google.com/web/fundamentals/security/prevent-mixed-content/what-is-mixed-content

solution2
 1  2020-03-12 19:36:38

Don't use Ajax calls as they are restricted by browser. You can safely use Server call with Server side Language like php node.js ,Asp.net etc

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How can I make redirects from my secure website sent with HTTP instead of HTTPS how can make http request in https Fetch request to http address from a https website How can i make a POST request in my local network when the origin is http and the target url is https? Is it possible to make a JSONP request from HTTPS to HTTP? How to make a jQuery http -> https AJAX request How can I make an Ajax call to an HTTP time server site from HTTPS? How can I make a https request to Stripe API with Axios? how to send a post request through http in website that uses https? Migration of website from http to https
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM