HTTPS to HTTP JSONP request

Question

I'm having issues sending JSONP requests from HTTPS site to HTTP site.

I have a (non local) test environment over https (with valid certificate) where i'm able to run all these cross site/"cross protocol" requests successfully (with warnings, but without errors).

Google Chrome Javascript Console output :

The page at https://my.test.environment/ ran insecure content from http://non.secure.site/service?jsonCallback=jsonp1331132928704

However, in production, (on Google App Engine, appspot subdomain) Google Chrome is blocking all requests waiting for user confirmation.

Google Chrome Javascript Console output (special attention to [blocked] text):

[blocked] The page at https://production.appspot.com/ ran insecure content from http://non.secure.site/service?jsonCallback=jsonp1331132928704

I know what i'm doing is not secure, but this services are provided by third-party and there is no SSL communication available so far. I'm really confused with this because i don't get why is working (with warnings) in test environment and not under appspot (Google App Engine).

I tried to investigate headers with no success.

Test environment headers:

Connection:Keep-Alive
Content-Encoding:gzip
Content-Language:es
Content-Length:2524
Content-Type:text/html;charset=utf-8
Date:Wed, 07 Mar 2012 15:48:30 GMT
Keep-Alive:timeout=15, max=100
Set-Cookie: cookie_info...
Vary:Accept-Encoding

APPSpot headers:

access-control-allow-credentials:false
access-control-allow-origin:*
cache-control:no-cache, must-revalidate
content-encoding:gzip
content-length:47890
content-type:text/html; charset=utf-8
date:Wed, 07 Mar 2012 14:52:02 GMT
expires:Fri, 01 Jan 1990 00:00:00 GMT
pragma:no-cache
server:Google Frontend
set-cookie: coookie_info....
status:200 OK
vary:Accept-Encoding
version:HTTP/1.1

I have no idea why this is working on test envinroment and the same approach is blocked on APPSpot by Google Chrome.

Any thoughts?

Answer 1

An apache proxy will make a request to the endpoint on your behalf. You can even have non-jsonp requests to a service (json, xml, images, post, put, delete, etc) because the browser thinks it's doing the request to the same domain.

Your non.secure.site vhost file would contain something like

ProxyRequests Off
ProxyPreserveHost On 
<Proxy *>
    Allow from all
</Proxy>
ProxyPass /appspot https://production.appspot.com/
ProxyPassReverse /appspot https://production.appspot.com/

Once you set it up you just call the service like...

http://non.secure.site/appspot/service?jsonCallback=jsonp1331132928704

Google proxypass for more info

https://serverfault.com/questions/429404/help-me-understand-how-to-use-proxypass

Answer 2

If you have no other option but using that not secured 3rd-party API you can think about MITM that API yourself.

Create a server side script that will be accessed only through SSL and will act as a proxy or a forwarder between your tag and the API. That way you can increase security by doing your own checks and validations on the data, and because you'll serve it under SSL you won't get any "Mixed Content" errors.

BTW, I haven't tested it there's always the chance that sites under Google certificate served from GAE will act differently.

Hope I could help.

Answer 3

I got the same issue for doing same stuff between http and https. It is a cross domain issue.

The most important thing you need is the server side page you are using for doing curl has to set some headers for allowing http to https connection. This are below....

header("Access-Control-Allow-Origin: your https url");
header("Access-Control-Allow-Methods: POST, GET");
header("Access-Control-Max-Age: 1728000");

header("Access-Control-Allow-Headers: Content-Type, Connection, Depth, User-Agent, X-File-Size, X-Requested-With, If-Modified-Since, X-File-Name, Cache-Control");
header("Connection: close");