In our site, Some pages are SSL and some are non-SSL.
For Example:
http://www.example.com/search/patients
https://www.example.com/patients
Now I am searching patients on http://www.example.com/search/patients page and send server request to https://www.example.com/patients via jQuery $.ajax function and dataType=json. I am unable to get data.
Questions:
Should I use jsonp when we request from http to https or https to http on same server?
If I use SSL for both URLs then will it work with dataType=json only
Thanks
Due to Same Origin Policy your ajax request is allowed only if:
domain name, application layer protocol, and (in most browsers) port
number of the HTML document running the script are the same
In your case the application layer protocol is different, that's why your script fails.
Possible solutions are:
JSONP, which has to be provided by the server
CORS, which is a more 'elegant' and clean solution, but is not yet fully supported by IE (IE7 doesn't support it, IE8 has some limitations)
If you use SSL for both URLs it should work. Also as #Waqas Raja suggested, it would be better to use relative URLS.
e.g. $.ajax({url: '/search/patients'})
You need to use either CORS, a proxy or JSONP to get content from a different origin. Changing scheme (from http to https or the other way around) is changing origin.
Pulling data from a secure server into an insecure page eliminates many of the benefits of using SSL.
If you fetch both the page and the data source over SSL then you can use plain JSON and don't introduce those security problems.
Related
I am using django as backend API and ajax for making api call.my main site runs on https but the api on http . i am unable to make api calls from ssl cert loaded onto ngnix.
is it possible to make ajax calls from https to http ?
any leads will be appreciated ?
thnks in advance ..!!
The only difference between HTTP and HTTPS is the SSL security part, if your server is able to handle HTTPS requests they will be send through to the API just like any other HTTP request, it's only the actual data communication from the client socket to the server socket that is affected, once the data is received it's back in plain text (or it's original format) again.
Your browser will stop this and/or give an insecure warning and a padlock symbol for your HTTPS connection.
HTTPS indicates the site is secure, which gives certain guarantees to the visitor - namely that the site is for the given domain (authentication), that it's not been intercepted and changed (integrity) and that no one else is able to listen in to your messages to and from the server (confidentiality).
When you add an insecure resource like an api call, those guarantees are no longer there and so the browser will give a "insecure" warning, typically with a yellow warning padlock (instead of green) and/or a pop up.
Browsers used to differentiate between inactive content (e.g. images) - which were seen as less of a risk and so allowed, and active content (e.g. JavaScript) - which were potentially dangerous and so not allowed, however don't think they do any more. Even if they did Ajax XHR calls are definitely in the latter category.
Best option is to proxy pass the request through your main site domain through Nginx (e.g. forward requests to https://example.com/api from Nginx to your api using Nginx config).
I know I can use POST to hide the parameters in the url, but the data can still be seen in the network tab when I inspect element. Is there a way to completely hide what data is sent?
So no one can intercept the data.
let's use HTTPS protocol, attacker can capture data but they cannot read them.
You should use encryption. This involves enabling SSL over the HTTP connection. You will need to configure your server for this if it's not configured for it already.
Using HTTPS (SSL over HTTP, also known as Secure HTTP) allows your data to be sent and received over a secure connection.
If you're using the Developer Tools of WebKit (Google Chrome, etc.) then you'll always be able to see the data because you're the one making the request. It doesn't hide the data from you.
Some of my Web services are in https but my home page is in http how can i make ajax calls to get that secure data. Now i am trying using cURL in the php page. Is there any other option to get using jquery 1.5
The simplest and obvious answer is to make your page https as well. But thats usually not feasible so, you need to use jsonp to circumvent the Same Origin Policy. You can learn more about jsonp here
You could wrapper it with a HTTP proxy call to your local domain and then make the cURL request to the HTTPS from the server.
Some code provided might help. But should be simply a case of providing the full https://www.yoursite.com url to your ajax scripts.
i want to get data from other sites using javascript executed from my website.
The PHPJS website has some nice conversions of PHP functions into Javascript.
In general, unless they expose the data with JSON-P, you can't thanks to the security considerations imposed by the same origin policy.
Recent browsers support a permissions system where a remote site can allow JavaScript running on a remote site to make a request. Flash provides a similar system, so can act as an intermediary. Both of these require the cooperation of the remote site.
The usual work around is to use a proxy service, either running on your own system (so JS makes the request to the same server, which fetches the data from the remote site) or a third-party service like YQL.
Javascript is limited by the same-domain security policy. The only way to get data from other sites is to use JSONP or build a proxy on your own host that lets you curl content from other sites.
Use jQuery:
$.post( 'http://some.website.com/file.js', function(result){
alert(result);
});
You may not fetch anything but JavaScript or JSON.
Or try this answer: How do I send a cross-domain POST request via JavaScript?
It has to be done server side - send an ajax request, run the PHP you want, and check the responseText property to see the results.
That really depends on what you mean by "data". Try using AJAX if its just for simple requests.
i need to fetch a url with javascript/jquery and not php.
i've read that you could do that if you got a php proxy, but that means that it is still going through php. cause then it's still the ip of the server that is fetching it.
could one fetch the url entirely with only front-end, and thus fetch it with the client's ip?
There exists a Same origin policy for AJAX requests. This prevents Javascript on, say, this site, from making a request to gmail.com (with your cookies), reading your e-mails, and uploading them to the StackOverflow server. Javascript on stackoverflow.com can only make AJAX requests to pages on that domain.
As you can see, this is essential for security. Requests must instead be made by a proxy running on your web server - PHP can be used, but there are other solutions. For example, Ajax Cross Domain is an AJAX library that communicates with a Perl script running on the server to emulate AJAX requests for other domains.
It is also possible to make requests on other domains via a javascript include (script tag), image tag, etc. but in these cases you cannot read the contents of the page.
You cannot do this with an iframe either: scripts cannot see the internals of iframes unless they are on the same domain as the script.
So in short, use a proxy.
The problem is that jQuery would fetch an url with AJAX and AJAX won't operate cross-domain because of the potential security (as per the same-origin policy).
There are however ways to emulate this, if you load the page in an iframe you can retrieve the data by using innerHTML on the iframe. Here's an example script that uses jQuery: http://code.google.com/p/jquery-crossframe/