I need to make an asynchronous call to a secure (HTTPS) URL for the same domain.
Currently the page is working with regular HTTP (non-secure).
In other words: this is calling an URL in the same domain but using HTTPS.
Before switching this calls to HTTPS I ended implementing a server-side proxy to allow cross-domain AJAX calls, but now I'm facing same origin policy since HTTP and HTTPS are considered different origins too. So this proxy is unusable.
Summary: how to do cross-domain, asnynchronous POST requests in this scenario?
Various notes:
- I couldn't accept any answer suggesting JSONP. Asynchronous calls must be using POST verb.
- I'm using latest version of jQuery. Answer could be based on this library, or any other solving this problem.
- Accessing the entire page over HTTPS isn't a solution.
- Server platform is Microsoft .NET 4.0 (ASP.NET 4.0).
UDPATE: CORS isn't an option. There's no wide support for this in modern browsers.
First of all, I've +1 both questions from @missingo and @PiTheNumber.
After spending a lot of hours, I've arrived to the conclusion I'm going to switch the entire page to HTTPS. That's because:
Most moderns browsers support CORS, but Internet Explorer, starting from 8th version has a proprietary implementation (XDomainRequest object), which may be disabled in some computers (mine had cross-domain request disabled by default in Internet security zone).
Opera doesn't support CORS. 12th version will support it, but this isn't an option as users should adopt this new version first, and this won't be in 2 days.
I need to do cross-domain requests since Web client application must request a RESTful service layer located in another domain. No way.
Switching everything to HTTPS makes the service layer proxy approach work again (this is the expected behavior).
Thanks anyway because both answer have helped me a lot for arriving to this conclusion.
UPDATE
@Sam has added a comment that could be interesting for anyone. It's about how to get CORS in Internet Explorer 8 and 9 (see #7): http://blogs.msdn.com/b/ieinternals/archive/2010/05/13/xdomainrequest-restrictions-limitations-and-workarounds.aspx
I am using Access-Control-Allow-Origin. You just send the header and you are fine.
See also AJAX, Subdomains, and SSL
You should reconsider accessing the whole page over HTTPS or at least be really sure this is not feasible.
By loading the initial page and script over HTTP the user has no security guarantee that the script is the one you originally intended to send and is not being manipulated by a third party (by, for example, keylogging his password). This means that any HTTPS request that bypasses the SOP will not provide the same security guarantees as a HTTPS request from a page originally served over HTTPS.
Has anyone looked at:
https://github.com/jpillora/xdomain
It uses postMessage and iframes to achieve cors requests, and is cross browser (no need for teeth clenching XDomainRequests in IE).
Perhaps it will allow cross protocol cors requests?