Axios making a request from HTTPS to HTTP source - firebase

I have a running Azure java backend service which is without a security certificate and a running Firebase Hosting React project with a security certification.
Backend: http:// some_ip_address:10000/
Frontend: https:// project_id.web.app/
I am using axios in the frontend project. When I make an axios request, I am facing to this Mixed-Content error.
Mixed Content: The page at 'https://project_id.web.app/auth/login' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://some_ip_address:10000/otp/create'. This request has been blocked; the content must be served over HTTPS.
Instead of changing "insecure content" setting from the browser, what is the solution to fix this?

Related

Angular 11 app hosted in IIS giving CORS issue when calling Asp.Net Web API

We have the following setup
Angular 11 / TypeScript app: Hosted in IIS with SSL/TLS cert (HTTPS) and sending user credentials (NTLM) to the backend API using withCredentials header.
Also for CORS we are passing header 'Access-Control-Allow-Origin' : '*'
Asp.Net Web API (.Net 6): Self-hosted using Http.Sys (to support NTLM) and using HTTP.
To support CORS, we are using this
builder.Services.AddCors(options => options.AddDefaultPolicy(b => b.SetIsOriginAllowed(_ => true)
.AllowAnyHeader()
.AllowAnyMethod()
.AllowCredentials()));
When the Angular App is making a call to the backend API, it is getting error related to CORS.
Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.
But when we run Angular app without SSL/TLS cert i.e HTTP, then it works fine.
So this CORS issue, is it happening because Angular app is HTTPS and backend API is HTTP? If yes then how can we solve this issue?
Thanks in advance.
So this CORS issue, is it happening because Angular app is HTTPS and backend API is HTTP? If yes then how can we solve this issue?
The mismatch of TLS to non-TLS requests throws something like this:
Access to fetch at 'https://another-site.com/' from origin 'https://example.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
You are getting this error because the preflight OPTIONS request is being redirected by some sort of Middleware routing (I assume).
You can read up on how to configure for OPTIONS preflight requests here. There is lots of options depending on your requirements, so I won't post a suggestion.
https://learn.microsoft.com/en-us/aspnet/core/security/cors?view=aspnetcore-6.0#preflight-requests

Keycloak SAML request in an iframe: No 'Access-Control-Allow-Origin' (CORS error)

I'm working on a tool that embeds an iframe of an external app. The authentication to this external app is via SAML and Keycloak. However when using the iframe, the SAML request to Keycloak does not work: "... has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource."
Scenario 1: Accessing the external app using the browser (normal way)
I get redirected to the Keycloak login page and after successful authentication, it redirects to the external app and everything works fine.
Scenario 2: Loading the external app using the iframe
The iframe is loaded and the Keycloak login page is shown. However, after entering the credentials, the triggered SAML request to Keycloak is blocked due to the CORS issue, see
Failed SAML request to Keycloak within the iframe.
Once I click on the failed URL (starting with "saml?SAMLRequest=...") and access it the normal way (browser), everything works fine.
I read on multiple sites, e.g. here Keycloak Access-Control-Allow-Origin, that you have to enter your webpage (in this case localhost:8080) to the Web Origin field within the Keycloak interface. This one only exists when choosing the openid-connect value in Client Protocol though. So, when switching from openid-connect to SAML, which I use, the Web Origin field disappears. I even tried to export the config file for that Keycloak client in order to manually enter the WebOrigin property, which did not work either.
How can I change the CORS policy for this iframe when using SAML (not openid-connect) since I don't have access to the Web Origin field?
Thanks in advance!
Keycloak doesn't allow to be loaded in the iframe by default.
Keycloak admin must allow that explicitly per realm in the Realm settings->Security Defenses->Headers->X-Frame-Options. Make sure you understand all security consequences before you allow Keycloak in the iframe. It's a security setting.

Can my Heroku app call a http endpoint from my GCP backend?

I tried deploying a Heroku web app with my Flask backend (not on Heroku, actually on GCP) and got the following message in my browser's dev console:
Mixed Content: The page at 'https://x.herokuapp.com/' was loaded over
HTTPS, but requested an insecure XMLHttpRequest endpoint
'http://x:5000/endpoint'. This request has been blocked; the content
must be served over HTTPS.
I have little experience with serving and SSL, but the first temptation here would be to find a way to make Heroku okay with using http endpoints. And I'd love to avoid setting up SSL if possible.
What are my options from here?
Thanks!
In the end I realised that by applying my own http domain to the project (rather than using Heroku's domain), I am able to avoid the issue.
Then with http on the frontend, I was able to call http endpoints from my GCP server.

403 error accessing HTTPS web service (restful)

Our security team recently change the service to become HTTPS (from http).
We can hit the main svc page, but accessing methods gives a 403 error now.
We tested it using Postman - do we need to configure the request differently now that it is HTTPS?
thanks.

Azure App Service won't serve via HTTP

I have an ASP.net MVC app running on Azure App Service ... I've searched for the answer, but have not found it ... my app seems to always force HTTPS redirect, no matter what. All the docs say it should serve content via HTTP by default, but it does not. Most everyone has the opposite problem of needing to redirect HTTP to HTTPS.
I need Azure App Service to do the following:
1) Serve static Default.htm page via HTTP, without redirecting to HTTPS
My app has a custom domain and no SSL for the custom domain. I want the URL http://example.com/Default.htm to serve the static page, not redirect to HTTPS to serve the static page. I will use azurewebsites domain when I want users to be in HTTPS. I want to use my custom domain name to serve a static home page for users arriving at my site.
As far as I can determine, I do not have any app extensions installed (such s https redirect extension), or anything in web.config to force https, or any RequireHTTPS attributes ... can anyone explain why plain old regular boring HTTP doesn't work here?
Thanks

Resources