Cross domain request from HTTP to HTTPS aborts immediately

I'm trying to make Cross-Domain webservice calls from an HTTP page to an HTTPS service.

I have set up the proper CORS headers on the server (it works with HTTP-HTTP and HTTPS-HTTPS).

It does work if I change the requests to JSONp.

What I'm seeing in Chrome and Firefox is the HTTPS request is never sent, it's immediately aborted, and the server never sees the request.

It is worth noting that the preflight OPTIONS request is aborted (and it doesn't reach the server).

I can't find any source that explains that this is indeed not possible (HTTP to HTTPS) and better yet: explains why. I can understand HTTPS to HTTP is unsafe, but the othe way around should be fine right? It seems silly to me because JSONp works (but it's messy).

notes

I also have withCredentials set to true and I'm sending some custom headers and a custom Content-Type: application/json

I'm using the regular XMLHTTPRequest with fallbacks to JSONp for IE<=9

Answers:

Answer

Ok, I figured it out. The certificate I'm using for the HTTPS domain is self-signed and unverified. Adding it to the list of trusted third-party authorities fixed it for me.

You can install the certificate in Windows 7 through IE. This worked for me: http://productforums.google.com/forum/#!topic/chrome/bds-Ao9LigA%5B1-25%5D post by zacharysyoung 2/11/09 Make sure you run IE(9) as administrator or the install will fail even-though it says it installed it correctly.

  1. Open Internet Explorer (IE) and navigate to the site hosting the self-signed certificate.
  2. IE should display a page warning that, 'There is a problem with this web site's security certificate.'
  3. Click the, 'Continue to this website (not recommended)' link.
  4. Once the page has loaded, look to the right of the address bar. A red/pink button, labeled 'Certificate Error,' should be visible. Click that button.
  5. A pop-up, titled 'Untrusted Certificate,' will appear. Click the 'View certificates' link at the bottom of the pop-up.
  6. Another pop-up, titled 'Certificate,' will appear. Click the 'Install Certificate...' button.
  7. The 'Certificate Import Wizard' will be started. Click the 'Next' button.
  8. ** For XP: a. Leave 'Automatically select the certificate...' option selected, and click the 'Next' button. ** For Vista: a. Choose 'Place all certificates in the following store' option, and click the 'Browse' button. b. Click the 'Show physica stores' checkbox. c. Expand the 'Third-Party Root Certification Authorities' folder, and choose 'Local Computer'. Click the 'OK' button. d. Click the 'Next' button.
  9. This should display the 'Completing the Certificate Import Wizard' dialog. Click the 'Finish' button.
  10. A 'Security Warning' pop-up will appear. The warning is informing you that the certificate's origin cannot actually be validated. You should know where the certificate is coming from. If you do, click the 'Yes' button to install the certificate.
  11. A final pop-up informing you that, 'The import was successful,' will be displayed. Click the 'OK' button.
  12. Restart/Open Chrome and navigate to the site in question. You should not be greeted by the security warning page.

Aside from that, I think I may have discovered a bug in Chrome. See: https://code.google.com/p/chromium/issues/detail?id=141839

Answer

It might be easier to setup something like easyXDM. It is rather quick to get going and will do all the backwards compatibility for you (all the way to IE6). It might not be the home-grown solution you are looking for but if you want cross-domain (where you have access to both sides) in a hurry it fits the bill.

You could always write your own iframe (postMessage) interface but why re-invent the wheel (and don't forget to set your document.domain if you are using different sub-domains).

Tags

Recent Questions

Top Questions

Home Tags Terms of Service Privacy Policy DMCA Contact Us

©2020 All rights reserved.