I'm running an asp.net core web application secured by ssl.
I need to send an ajax request to a local-network device which does not offer https.
So I try to send an ajax http request to a local ip adress (eg. http://192.168.1.30/hello-world) from a https browser window showing my web-app.
The url of the ajax request always gets converted into https://192.168.1.30/hello-world (which does not exist).
Is there anyway to avoid this? The device does not offer https and I can't send a local request from an insecured source.
Thank you!
Related
I have a website that uses HTTPS so it is secure by default.
I am aiming to send some HTTP requests from the website, but the problem is that modern versions of web browsers do not allow the use of HTTP requests inside of HTTPS sites.
So, what I am trying to do here is to make a portion of my website un-secure using HTTP instead of HTTPS, so that I can send the requests I want.
Is that possible?
If there are any other suggestions to send HTTP requests, please help me with it.
For example, does the URL http://www.google.com/ make the URL less safe, even though the default for this domain is with https?
Accessing a site using http:// (thus the unprotected unecrypted HTTP protocol) means that at least one unprotected HTTP request is sent to the server (most sites that support https will automatically redirect you to the https version).
This unprotected request can be intercepted by an attacker and thus send you arbitrary data back (malicious JavaScript code, redirect to other sites and so on).
The only exception is if you type http://www.google.com/ and you are using Chrome browser because Chrome will for addresses on google.com automatically change the entered URL to https:// before anything is sent on the network.
I was just wondering this small little question. I know it is irreverent to coding, but I just had to know quickly.
If you type in http:// for a https:// will it still take you to the correct place?
That is mostly dependent on the server configuration. The server has to accept the initial HTTP request and be configured to redirect the client to an appropriate HTTPS url.
That being said, there are some Internet standards related to automating HTTP-to-HTTPS upgrades. HTTP Strict Transport Security and Upgrade Insecure Requests allow an HTTP/S server to tell clients that it wants them to automatically use HTTPS for all subsequent requests. If a client visits an HSTS/UIR-enabled server, it will receive a normal HTTP response with additional HSTS/UIR-related headers. If the client supports HSTS/UIR, it will then know to automatically send all subsequent HTTP requests to that same server using HTTPS, and in the case of UIR also treat any received HTTP URLs as if they were HTTPS URLs.
We want to load a page of our platform into an iframe on a client site. Our platform contains a SSL certificate and runs always on HTTPS. The client's site runs on HTTP.
The URL that get's loaded into the iframe contains URL params for the name of the user. Are these url parameters send encrypted because the site in the iframe is HTTPS or are they accessible because the the parameters are created on the client HTTP site?
Short example:
Client site (HTTP) loads iframe with url "https://oursite.com/?firstname=Bob&lastname=Forrest". Are the URL parameters encrypted when they are transferred to the iframe site?
Thanks in advance.
The URL parameters will get encrypted. SSL sits between the HTTP and TCP layers, so the browser will first establish a TCP connection to the server before any data is exchanged. All data (including the request with the URL parameters) will be encrypted.
It is still generally advised to not pass sensitive information in the URL, as it will most likely get stored in plain text in the server logs.
I've got an internal web application that's designed to work in concert with a server running locally on the client machine. (For the curious: the local server is used to decrypt data retrieved from the server using the client machine's GPG key.)
The internal web app is served over HTTPS while the local app is accessible via localhost. It used to be that I could make unencrypted AJAX requests from the page to localhost without any issues; but it seems that recently Chrome was updated to disallow HTTP requests to any destination from pages served over HTTPS.
I understand that in the vast majority of cases, HTTP requests from a page served via HTTPS constitute a security hole. However, since I have complete control over the endpoint in this case (i.e., localhost), it seems to me that it should still be perfectly safe to make HTTP requests to that one destination even when the host page has been served via HTTPS.
Is this possible? To whitelist localhost somehow?
Since you are in control of both the client and the server, it sounds like a good candidate for Cross-Origin Resource Sharing (CORS). The server will have to set a few response headers to give access to the client. You can learn more here: http://www.html5rocks.com/en/tutorials/cors/