Author Topic: Can I send a request to an http page from an https page?  (Read 748 times)

0 Members and 1 Guest are viewing this topic.

Offline Serosin

  • NULL
  • Posts: 2
  • Cookies: 0
    • View Profile
Can I send a request to an http page from an https page?
« on: January 14, 2016, 03:04:13 am »
I'm trying to write a script that will take information (cookies, etc.) and send it off to a domain I own as a post request using Ajax. The script is supposed to execute once the page loads. The thing is, this won't work if the page the script is on is served over https, because the domain I own doesn't use SSL, and Same Origin Policy stops that. It costs extra money and I'd rather make that purchase for a more legitimate reason if I need to.

So I was thinking of adding a line to the script that changes the location.protocol BOM from https: to http:, but when the command executes, the browser will try to request the page it's on over http, effectively reloading the page and never letting the script fully execute, looping, fucking things up, and so on.

Is there a way to change location.protocol without the browser sending a new request? I just want to make the browser think that the current https page was actually served over http so that a response from my domain doesn't also need to be served over https.

Or is there a better way to do this?
« Last Edit: January 14, 2016, 03:07:59 am by Serosin »

Offline iikibT

  • Serf
  • *
  • Posts: 41
  • Cookies: 7
    • View Profile
Re: Can I send a request to an http page from an https page?
« Reply #1 on: January 14, 2016, 11:20:32 am »
I'm not going to answer your main question, but want to point a couple of things out:

It costs extra money and I'd rather make that purchase for a more legitimate reason if I need to.
I assume you are talking about SSL certificate costs? You can get cert for free, either by signing it yourself or getting it signed for free by Let's Encrypt.

...because the domain I own doesn't use SSL, and Same Origin Policy stops that
Using a script on domain A to send ajax request to domain B is against same-origin policy and will be stopped by any browser that enforces same-origin policy. This is not a problem of not having SSL.

EDIT: For ways to circumvent same-origin policy, see JSONP. There are also multiple methods listed at this stackoverflow post.
« Last Edit: January 14, 2016, 11:29:26 am by iikibT »
Hacking for no fun and no profit

Offline Serosin

  • NULL
  • Posts: 2
  • Cookies: 0
    • View Profile
Re: Can I send a request to an http page from an https page?
« Reply #2 on: January 14, 2016, 01:55:17 pm »
Quote
You can get cert for free, either by signing it yourself or getting it signed for free by Let's Encrypt.

Actually, the hosting service I use makes you purchase a dedicated IP address if you're going to use any certificate at all. That's the extra cost. I'm well aware of free and self-signed certificates.

Quote
Using a script on domain A to send ajax request to domain B is against same-origin policy and will be stopped by any browser that enforces same-origin policy.

I can already get cross-origin requests without using JSONP. Putting the
Code: [Select]
Header set Access-Control-Allow-Origin command in the .htaccess of domain B allows cross origin requests to be made, as long as they are over the same protocol. If they aren't, it still doesn't work, and a browser console will specifically say different protocols is the reason why. I'll look over the Stackoverflow link you sent, but I've skimmed it and haven't found exactly what I need, yet. Still, it's a long post and maybe something's there, but I have to go to work ;)

Offline iikibT

  • Serf
  • *
  • Posts: 41
  • Cookies: 7
    • View Profile
Re: Can I send a request to an http page from an https page?
« Reply #3 on: January 14, 2016, 04:13:50 pm »
Actually, the hosting service I use makes you purchase a dedicated IP address if you're going to use any certificate at all.
Uff, that sucks, I have never seen this shitty practice anywhere I ever hosted. I'd say get a better host =D.

I can already get cross-origin requests without using JSONP. Putting the
Code: [Select]
Header set Access-Control-Allow-Origin command in the .htaccess of domain B allows cross origin requests to be made, as long as they are over the same protocol.
The problem is not different protocol, but specifically HTTPS => HTTP. With
Code: [Select]
Header set Access-Control-Allow-Origin on domain B, you can send ajax request from domain A if both websites use HTTP, both use HTTPS, or A uses HTTP and B uses HTTPS. If A uses HTTPS and B uses HTTP this will not work. Basic idea is that you can load resources using more secure protocol, but not the other way around (that would kinda defeat the purpose of using HTTPS in the first place). Chrome for instance gives this error:
Code: [Select]
Mixed Content: The page at 'https://a.com' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://b.com/'. This request has been blocked; the content must be served over HTTPS.I am not aware of any ways to circumvent that, though they might exist. The simplest way is to switch to HTTPS on domain B.

EDIT: If you really can't get HTTPS on domain B, another option would be to get another domain (say C) where you can use HTTPS and use it as a proxy:
Code: [Select]
https://a.com === AJAX request ==> https://c.com  === (send data using your favorite server side language) ==> http://b.com
« Last Edit: January 14, 2016, 04:22:53 pm by iikibT »
Hacking for no fun and no profit