I am confused about these protocols. which requests are available in case of using these protocols:
- HTTP to HTTP
- HTTPS to HTTP
- HTTP to HTTPS
- HTTPS to HTTPS
I have a domain in HTTPS and a sub-domain in HTTP. Can I request from HTTPS to HTTP (POST and GET ) to retrieve data?
for example:
$.getJSON('/' + countryId, function(data) {
$.each(data, function(key, value) {
$("#StateId").html($("#StateId").html() +
"<option value='" +
value.StateId +
"'>" +
value.StateName +
"</option>"
);
});
}
this request is sent from: /
Whats more I solved CORS problem in sub-domain.
I am confused about these protocols. which requests are available in case of using these protocols:
- HTTP to HTTP
- HTTPS to HTTP
- HTTP to HTTPS
- HTTPS to HTTPS
I have a domain in HTTPS and a sub-domain in HTTP. Can I request from HTTPS to HTTP (POST and GET ) to retrieve data?
for example:
$.getJSON('http://api.domainName./api/Visitor/GetStates/' + countryId, function(data) {
$.each(data, function(key, value) {
$("#StateId").html($("#StateId").html() +
"<option value='" +
value.StateId +
"'>" +
value.StateName +
"</option>"
);
});
}
this request is sent from: https://domainName./
Whats more I solved CORS problem in sub-domain.
Share Improve this question asked Dec 14, 2016 at 8:03 Afsaneh DaneshiAfsaneh Daneshi 3304 silver badges19 bronze badges 5- HTTP requests from a secure site is not allowed. The rest are okay. – William Commented Dec 14, 2016 at 8:07
- @William is my code allowed? – Afsaneh Daneshi Commented Dec 14, 2016 at 8:08
- Unfortunately not if the site making the request is over https. – William Commented Dec 14, 2016 at 8:09
- @William is it available to send request from Windows application to HTTPS site? – Afsaneh Daneshi Commented Dec 14, 2016 at 8:42
- It's the browser that denies the requests from https to http, since that would introduce unencrypted requests to an otherwise secure site. If you do the request outside the browser you are fine. – William Commented Dec 14, 2016 at 8:47
3 Answers
Reset to default 2Well you can't browser will block any resources ( scripts , link , iframe , XMLHttpRequest, fetch ) to download if original html page is in https and request resources are in http.
Browser throws an Mixed Content error.
Snippet from Mozilla MDN
Mixed active content is content that has access to all or parts of the Document Object Model of the HTTPS page. This type of mixed content can alter the behavior of the HTTPS page and potentially steal sensitive data from the user. Hence, in addition to the risks described for mixed display content above, mixed active content is vulnerable to a few other attack vectors.
In the mixed active content case, a man-in-the-middle attacker can intercept the request for the HTTP content. The attacker can also rewrite the response to include malicious JavaScript code. Malicious active content can steal the user's credentials, acquire sensitive data about the user, or attempt to install malware on the user's system (by leveraging vulnerabilities in the browser or its plugins, for example).
The risk involved with mixed content does depend on the type of website the user is visiting and how sensitive the data exposed to that site may be. The webpage may have public data visible to the world or private data visible only when authenticated. If the webpage is public and has no sensitive data about the user, using mixed active content still provides the attacker with the opportunity to redirect the user to other HTTP pages and steal HTTP cookies from those sites.
Useful documentation links
MDN - https://developer.mozilla/en-US/docs/Web/Security/Mixed_content
Google developers - https://developers.google./web/fundamentals/security/prevent-mixed-content/what-is-mixed-content
You will need to switch the Ajax requests to https, too.
http://api.domainName./api/Visitor/GetStates/ Interface Add header "Access-Control-Allow-Origin: *"