I would extremely appreciate some help with the following issue:
I have a payment web app hosted in IIS and configured for SSL. I need to integrate a POS terminal (or pin-pad) with a static IP that's not SSL compatible. I can talk to it running the site without SSL (HTTP to HTTP), but not HTTPS to HTTP - obviously getting "Mixed Content ..." error as Chrome doesn't allow that. I don't need to care about other browsers, but I can't run my site HTTP and as mentioned terminal doesn't support HTTPS.
Now, before you mark it as duplicate - I've read:
sending request from https to http from chrome extension,
Chrome extension - Disable Blocking of Mixed Content
Since v38, Chrome extension cannot load from HTTP URLs anymore, workaround?.
And it looks like Chrome extension might provide a solution. I don't have any experience with Chrome extensions though, but comfortable with JavaScript. I would prefer to avoid chasing something that would result in a dead-end. So, my question is - am I on the right path? If so, how do I go about implementing this? How do I go about delegating the ajax post call to the extension?
Any thoughts, ideas, tips, suggestions would be highly appreciated!
If you are going to use chrome-extension, do you want everyone who visits your payment site install the extension first? If the answer is yes, then sure, chrome-extension can help with that. Take at the following guide:
Cross-Origin XMLHttpRequest, it tells you that background page can send request to http site, even if current page is https
chrome.webRequest.onBeforeRequest, it tells you that you could redirect a http(s) request.
Related
I have a Javascript application running in a browser, and I want to access some data sitting in a server that can't enable CORS.
It's not a testing application, is meant for the end-user, even if a little techy one.
I considered:
PHP Proxy: Not appropriate. Server on the other side make decision about IP geolocation.
Java/SilverLight: Unfortunately my #1 target is Chrome
JSON: Not available
What are my options?
Please notice that I'm not trying to make any malicious application: if the user need to approve or allow me to make this request is totally fine.
You are trying to do exactly what the Same Origin Policy is designed to prevent (and what CORS is designed to allow the server to permit).
Your options are:
Find a way to work with whomever controls the server
Get the users to download and install software which isn't subject to the Same Origin Policy (such as a stand-alone application or a browser extension).
You need to ask your users to install chrome extension to overcome CORS. I used to use it while developing ionic apps and testing on chrome
https://chrome.google.com/webstore/detail/allow-control-allow-origi/nlfbmbojpeacfghkpbjhddihlkkiljbi?hl=en
https://chrome.google.com/webstore/detail/cors-toggle/omcncfnpmcabckcddookmnajignpffnh?hl=en
I'd like to create chrome extension which behaves like a proxy, so I can do whatever I want with HTTP requrests coming from browser. What approach can I use for this? What API to use for HTTP request hooking? Googling and reading chrome documentation didn't give me any ideas.
Thanx.
I'm trying to create a web page that can connect to a client-local WebSocket server. The idea is to use the JavaScript client running in the browser as kind of a proxy to enable communication between the remote web server and the locally installed client application which implements the WebSocket service.
So basially, what I'd do is load a web page from https://example.com which includes some JavaScript that opens a new WebSocket to ws://localhost:1234/context.
This works fine as long as the web page is accessed via http. As soon as https is used, however, Firefox and Internet Explorer refuse to connect and the WebSocket constructor throws an exception (SecurityError, code 18).
Now, I already found advice from Mozilla stating that https sites should only use secure (wss://) WebSockets and plain http sites should only use plain WebSockets (link). But I don't really see the security issue when connecting to localhost from within an https context. Besides, this works like a charm for Chrome, Opera and Safari.
So the actual question is: Is there any way to work around this issue? Like introducing a non-https context inside the web page or something similar to get all browsers to connect to ws://localhost from within a https-delivered web page?
Thanks a lot in advance! I'm not exactly a web developer so this kind of browser-specific behaviour isn't really in my fields of expertise :)
You have to accept the cert first.
You can do this by simply going to https://localhost:1234/context, in your case. Once that's done, you can use the wss URL in your question.
I have just started learning about headless testing and wanted to use it to test my application on salesforce.com. Salesforce is a https site and am unable to open it in phantomjs. I am using the loadspeed example to test it. I have also set the --ignore-ssl-errors argument but I still get the FAIL to load address error.
phantomjs "C:\myfolder\phantomjs
-1.9.2-windows\examples\loadspeed.js" https://test.salesforce.com --ignore-ssl-e
rrors=yes --ssl-protocol=any
another Observation:
If I try it with other https sites like https://github.com/, I am able to open those in phantomjs.
Please help in resolving this.
Your using phantomjs command in wrong way. You should use in the followinf order:
phantomjs [switchs] [options] [script] [argument]
as in your example it should be:
phantomjs --ignore-ssl-errors=yes --ssl-protocol=any "C:\myfolder\phantomjs
-1.9.2-windows\examples\loadspeed.js" https://test.salesforce.com
The other possibility is that you are trying to open an URL, which is secured by a login page, intended for users who have already logged in, therefor the server may returns 403 unauthorized response. If this is the case you can solve it by getting all the cookies on your browser for demo.saleforce.com and setting them on phantomjs.
Please note that there is no problem with SSL certificate of Salesforce, there is no point in turning off the SSL security. If you can't access the site without ignoring SSL error, then it's likely possible that your computer/internet connection have been compromised by some hackers. If this is the case they can just intercept your login information when you log in different websites.
I have a dev site set up that's running under a fake HTTPS, it has a certificate however Chrome says its invalid because of the domain. My real site has a real certificate however, and I'm wondering if that HTTPS connection will break because of some insecure content on my page.
I'm using Brightcove as a 3rd party video host and when using their embed code, I get these types of errors in the Chrome developer console on my dev site:
The page at https://my.website.com/ displayed insecure content from http://c.brightcove.com/crossdomain.xml.
If I deploy the development version to my live site, will it break the HTTPS seal in the address bar of browsers? HTTPS is very important for my customers so I'd rather not deploy it and just see what happens.
Unfortunately Brightcove doesn't have "true" HTTPS support, it's either get these errors or the video doesn't work. :/
Also, the video is being loaded via JavaScript if that matters.
Thanks!
If you include content from insecure sources (http), the seal will break. it's still safe but it won't be shown as prominent as on a page with only secure content inclusion.