How To Reach Local Insecure (HTTP) Server From A Secure (HTTPS) Page - javascript

I have a site running on https, which is trying to reach a windows service that is running as an http server, using an http localhost address, via AJAX. However, this is returning an "Access is denied" error. It works fine when calling from http, but that is not an option beyond testing. We are also limited to using Internet Explorer (9+) only.
I have set the "Allow mixed content" security setting to "Enable" for the respective zone, but it is still getting blocked.
The AJAX call looks like this:
$.ajax({
url: 'http://localhost:5923/somefunction',
data: {
sid: sid,
aid: aid
},
success: function (ret) {
//...
},
error: function (error, status, errThrown) {
alert(errThrown);
}
});
I know modifying the windows service to function over https is the best solution long term, but does anyone have any suggestions for IE settings that would allow mixed active content, or any other interim fixes?
Thanks in advance.

You need to enable cross-origin access so go to Tools->Internet Options->Security tab, click on “Custom Level” button for the zone of your choice. Go to Miscellaneous -> Access data sources across domains setting and select “Enable” option.

Is this code blocked by SOP (Same Origin Policy)?
If so, set "crossDomain" setting to "true".
http://api.jquery.com/jquery.ajax/

Related

No 'Access-Control-Allow-Origin' header is present on the requested resource in simple html form

why this error is showing in my simple html form, I want to get xml data in my simple form to show news on my webpage, but this error is showing continuously, please help
$.ajax({
type: "GET",
url: "https://news.google.com/rss/search?q=Nigeria&hl=en-PK&gl=PK&ceid=PK:en",
dataType: "xml",
success: function(xml) {
console.log(xml)
}
});
It is up to the server that has the resource to allow cross origin access.
Probably there is API for what you are trying to do. API gets implemented by the resource owner and provides controlled access.
Or you can use RSS if there is one.
What you could potentially do is run your requests through a CORS proxy. For example:
$.ajax({
type: "GET",
url: "https://cors-anywhere.herokuapp.com/https://news.google.com/rss/search?q=Nigeria&hl=en-PK&gl=PK&ceid=PK:en",
dataType: "xml",
success: function(xml) {
console.log(xml)
}
});
You can see that this works by simply pasting this code snippet into the console.
This essentially bypasses the CORS issues for you. I would only recommend using this hosted version if you don't have a lot of traffic, otherwise you should host your own version of the CORS proxy.
This is because of CORS(Cross Origin Resource Sharing) policy implemented by browsers. Which means browsers doesn't allow certain requests to be sent from a domain to another domain. However this is not applicable to all type of requests.
Check this link to understand what all requests come under this policy
Inorder to make this work , the other server, in your case https://news.google.com, have to setup in such a way that it allows cross domain requests. This is achieved by servers telling the browser that it is ready to accept cross domain requests from your domain, by adding certain cors related headers. One such is Access-Control-Allow-Origin. But I am afraid you can't do it since you aren't the one managing this server.
Work-Around
Use your backend to send the request to google. So that your xhr request calls your server and your server calls google. No browser No Cors.
xhr---> yourdomain.com/news/get---> someotherdomain.com/news/get

AJAX request gets "No 'Access-Control-Allow-Origin' header is present on the requested resource" error

I attempt to send a GET request in a jQuery AJAX request.
$.ajax({
type: 'GET',
url: /* <the link as string> */,
dataType: 'text/html',
success: function() { alert("Success"); },
error: function() { alert("Error"); },
});
However, whatever I've tried, I got XMLHttpRequest cannot load <page>. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:7776' is therefore not allowed access.
I tried everything, from adding header : {} definitions to the AJAX request to setting dataType to JSONP, or even text/plain, using simple AJAX instead of jQuery, even downloading a plugin that enables CORS - but nothing could help.
And the same happens if I attempt to reach any other sites.
Any ideas for a proper and simple solution? Is there any at all?
This is by design. You can't make an arbitrary HTTP request to another server using XMLHttpRequest unless that server allows it by putting out an Access-Control-Allow-Origin header for the requesting host.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
You could retrieve it in a script tag (there isn't the same restriction on scripts and images and stylesheets), but unless the content returned is a script, it won't do you much good.
Here's a tutorial on CORS:
http://www.bennadel.com/blog/2327-cross-origin-resource-sharing-cors-ajax-requests-between-jquery-and-node-js.htm
This is all done to protect the end user. Assuming that an image is actually an image, a stylesheet is just a stylesheet and a script is just a script, requesting those resources from another server can't really do any harm.
But in general, cross-origin requests can do really bad things. Say that you, Zoltan, are using coolsharks.com. Say also that you are logged into mybank.com and there is a cookie for mybank.com in your browser. Now, suppose that coolsharks.com sends an AJAX request to mybank.com, asking to transfer all your money into another account. Because you have a mybank.com cookie stored, they successfully complete the request. And all of this happens without your knowledge, because no page reload occurred. This is the danger of allowing general cross-site AJAX requests.
If you want to perform cross-site requests, you have two options:
Get the server you are making the request to to either
a. Admit you by putting out a Access-Control-Allow-Origin header that includes you (or *)
b. Provide you with a JSONP API.
or
Write your own browser that doesn't follow the standards and has no restrictions.
In (1), you must have the cooperation of the server you are making requests to, and in (2), you must have control over the end user's browser. If you can't fulfill (1) or (2), you're pretty much out of luck.
However, there is a third option (pointed out by charlietfl). You can make the request from a server that you do control and then pass the result back to your page. E.g.
<script>
$.ajax({
type: 'GET',
url: '/proxyAjax.php?url=http%3A%2F%2Fstackoverflow.com%2F10m',
dataType: 'text/html',
success: function() { alert("Success"); },
error: function() { alert("Error"); }
});
</script>
And then on your server, at its most simple:
<?php
// proxyAjax.php
// ... validation of params
// and checking of url against whitelist would happen here ...
// assume that $url now contains "http://stackoverflow.com/10m"
echo file_get_contents($url);
Of course, this method may run into other issues:
Does the site you are a proxy for require the correct referrer or a certain IP address?
Do cookies need to be passed through to the target server?
Does your whitelist sufficiently protect you from making arbitrary requests?
Which headers (e.g. modify time, etc) will you be passing back to the browser as your server received them and which ones will you omit or change?
Will your server be implicated as having made a request that was unlawful (since you are acting as a proxy)?
I'm sure there are others. But if none of those issues prevent it, this third method could work quite well.
you can ask the developers of that domain if they would set the appropriate header for you, this restriction is only for javascript, basically you can request the ressource from your server with php or whatever and the javascript requests the data from your domain then
Old question, but I'm not seeing this solution, which worked for me, anywhere. So hoping this can be helpful for someone.
First, remember that it makes no sense to try modifying the headers of the request to get around a cross-origin resource request. If that were all it took, it would be easy for malicious users to then circumvent this security measure.
Cross-origin requests in this context are only possible if the partner site's server allows it through their response headers.
I got this to work in Django without any CORS middleware by setting the following headers on the response:
response["Access-Control-Allow-Origin"] = "requesting_site.com"
response["Access-Control-Allow-Methods"] = "GET"
response["Access-Control-Allow-Headers"] = "requesting_site.com"
Most answers on here seem to mention the first one, but not the second two. I've just confirmed they are all required. You'll want to modify as needed for your framework or request method (GET, POST, OPTION).
p.s. You can try "*" instead of "requesting_site.com" for initial development just to get it working, but it would be a security hole to allow every site access. Once working, you can restrict it for your requesting site only to make sure you don't have any formatting typos.

backbonejs cookie not maintained across cross domains

I have a backbone marionette application that makes REST api calls.
In my model when i make a api call to login i get a session value back and see the cookie being set in the browser
immediately after when i make another call to get the user information that is logged in i receive a different session or cookie value and no user is found. CORS is enabled and options calls are being made.
When i hook up the api to my other applications that were build off non backbone libraries it works fine. Does anyone know how to solve this?
Here is my post
doLogin: function( data ){
this.fetch({
data: JSON.stringify(data),
type: 'POST',
contentType: 'application/json',
error:(function (e) {
alert('error');
})
});
},
It is not clear on this piece of code but looks like your calls are going to different domains (once you mentioned CORS).
If that is really the case, I am afraid session and cookie might be different because they are probably specific only to the domain that your 1st request (doLogin) reached but not the 2nd request (fetch). More info: Sharing cookies across different domains and different applications (classic ASP and ASP.NET)
Another thing to look is if your both servers REALLY support CORS because one part of the setup is client-side and another is server-side (headers). More info on: http://www.html5rocks.com/en/tutorials/cors/

Intermittent ERR_SSL_PROTOCOL_ERROR error for cross domain request

The users of my website are seeing intermittent ERR_SSL_PROTOCOL_ERROR when making cross domain requests to api.flickr.com
By intermittent I mean that I've seen this happen 4 times out of ~1200 requests to the api yesterday.
Failed to load resource: net::ERR_SSL_PROTOCOL_ERROR https://api.flickr.com/services/rest/?method=flickr.photos.getInfo&api_key=.....
My site is and AngularJS application running on Google App Engine and is exclusivley avalable on HTTPS.
sslchecker shows that my site's certificate & certificate chain is installed correctly. Well, I think it looks ok!
sslchecker for api.flickr.com shows that ROOT 1 of the certificate chain is missing. Is that the problem? Is there any way around that for me?
Any other ideas? Is the problem that our certificates are issues by different authorities maybe?
Edit - Some other possibly relevant info gleaned from google analytics
Have seen it happen for different OSes - Android, iOS, Windows
Different browsers - Android, Chrome, Safari
Different Network Domains
Persistent SSL Protocol Errors may be caused by problems like
the destination server expects a different protocol (e.g. SSLv1, SSLv2, SSLv3)
a violation of a security policy (e.g. some servers don't honor certificate requests made from client)
Firewall impedance filtering / ciphering
Intermittent SSL Protocol Errors are very hard to diagnose. They can be the result of expired session, expired key, connectivity hiccup, lost packets, etc
Even worse, they can be caused by Server Side issues like date-time sync, server connection pool full, etc.
Best practice is to re-send the request: because such issues are often a temporary glitch, and usually succeed at 2nd attempt.
Flickr switched their API to SSL-only on June 27th, 2014 (a little under a year). Their Forum has blown up with SSL related problems since then.
In the past few months many users have reported (check thread) sporadic SSL Protocol Errors.
These Protocol Errors appear across all device types (laptops, desktops, mobile, Linux, Windows, etc) and usually an immediate re-try is successful. The commonality and highly infrequent nature of these problems indicates there is some issue on the host side completely unrelated to anything on the client.
Since a re-fresh or 2nd attempt is usually successful, I suggest trapping the error, and making 1-3 more attempts:
var promise = flickrService.get(...);
promise.success(function (data, status, headers, config) {
// Big Party
})
.error(function(data, status, headers, config) {
if (status == 107) {
promise = flickrService.get(...);
promise.success(function (data, status, headers, config) {
// Big Party
})
.error(function (data, status, headers, config) {
AlertService.RaiseErrorAlert("Flickr temporarily unavailable.Please try again later");
});
}
});
If you continue to get a "Protocol Error", then inform the user that Flickr is temporarily unavailable and to try again later.
if you run into this error and you are testing localhost endpoint just make sure you use http instead of https as your url.
eg: http://localhost:8080/ not https://localhost:8080/
This might be the answer, but i'm guessing that this is probably not a client issue, so i would suggest you to update your api's server with that line added in the header :
Access-Control-Allow-Origin: https://api.flickr.com/*
This should fix the troubles some of your users are facing.

Samsung Smart TV request over SSL (HTTPS). Can't get an answer from server

Sometimes I make Smart TV applications. I've already done 2 of them. One uses HTTPS address another just HTTP. Both of them work correctly on TV, but...
I faced a problem of making request to HTTPS address. The technical supports says that some TVs may not recognize some SSL-certificates.
I've recently started to choose some of SSL-certificates and installed on my apache-server. The problem is — in one domain address request works fine, on another it does not.
Does anyone know what kind of problem it can be?
My request code is:
var url = 'https://smarttv.ibecsystems.kz';
$.ajax({
'url' : url,
'dataType' : 'html',
'async' : false,
'crossDomain' : true,
'contentType' : 'application/json; charset=utf-8',
'success' : function(json) {
$('#divcontent1').html('Ok!');
},
'error' : function() {
$('#divcontent1').html('error');
}
});
https://smarttv.ibecsystems.kz - works fine, and https://api.krisha.kz - does not. Although they have the same SSL-certificate.
Thanks!
I've tried to visit your pages with chrome browser and found that api.krisha.kz certificate is invalid. Look at the message below when i'm visiting the site
This is probably not the site you are looking for!
You attempted to reach api.krisha.kz, but instead you actually reached a server identifying itself as api.kolesa.kz. This may be
caused by a misconfiguration on the server or by something more
serious. An attacker on your network could be trying to get you to
visit a fake (and potentially harmful) version of api.krisha.kz.
When the other site there is no certificate problem. I think this is the problem please fix the certificate with just create self-signed certificate for the api.krisha.kz domain

Categories