I'm working on a single page app that uses Backbone.js and marionette on the front end, and Django with Tastypie on the back. I just added a ssl certificate to the web server, and redirected all the http traffic to https.
Everything seems to work fine except for the backbone (sync) request that continues to send request over http, causing the browser to block those requests, and I don't know how to tell backbone to use https by default.
The backbone models url/urlroot are relative so they should take the same protocol as the rest of the site right? Thanks,
Backbone.sync is a wrapper around jQuery.ajax(...) in the end. You are correct that Backbone (via jQuery) should use the protocol of the hosting page. And the Same Origin Policy dictates the browser reject any request made to a different host, port, or protocol.
All this suggests the way you're hosting the page is getting jQuery's signals crossed. If you access the page directly via HTTPS instead of relying on the HTTP --> HTTPS redirect, does it work? If so, the problem isn't a Backbone one, but a hosting one.
Related
I'm creating a Progressive web app and need to make requests to an API which is HTTP and doesn't have HTTPS. Can't change the app to HTTP as PWA's require HTTPS, can't change request link to https.
Getting this error:
Mixed Content: The page at 'https://current-site.herokuapp.com/' was
loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint
'http://the-api.com/api/customer?$filter=contains(CustomerName,%20%27test%27)&$select=CustomerName,CustomerId&$top=10'.
This request has been blocked; the content must be served over HTTPS.
Hoping there's a way around this. Currently using nodejs and express to serve. Requests are being made from frontend vuejs with axios.
Thanks for helping.
Shy of using an insecure or old browser, or telling your users to use some command line flags before surfing the web, there is not a direct method for this. This is by design and would be a major security flaw if apps could do this directly.
However, if you're determined to use the insecure API, you can write an HTTPS proxy API on your server, that turns around and does the request to the real API over HTTP.
I have an Angular web application that I'm hosting on an Apache web server that's configured with the mod_auth_mellon module. With mod_auth_mellon, my Apache server acts as a Service Provider with a SAML 2.0 Identity Provider (iDP), for which I have an established Relying Party Trust.
Once authenticated, the web application will fire off an AJAX call in the background every minute. This call goes through a reverse proxy that I've set up on the Apache server.
The typical browser flow: Once the Apache mellon session (MellonSessionLength) expires, any request going through Apache will redirect back to the SAML iDP to re-negotate. Assuming I'm still authenticated with the iDP, mellon will establish a new session and automatically redirect me back to my original destination. Normally, this re-negotiation is an extra request or two that happens seamlessly behind the scenes.
The problem: The mellon session will typically expire when my background AJAX request is firing, which redirects that request back to the iDP. On the AJAX request back to the iDP, the browser is giving a CORS error and the response includes a generic log-in page (rather than my redirect destination). My (Apache) requests should appear to originate from the same domain as the iDP, but not the same subdomain (but, in reality, they are two different servers): (mywebapp.mydomain.com vs. idp.mydomain.com). If I simply copy the request URL into the browser bar manually, the re-negotiation happens without a problem.
Question #1: As far as I can tell, it's the browser that's blocking this request. Is this an Apache configuration issue?
Question #2: If I can fix the CORS issue, will the JavaScript be able to successfully interpret the response from the iDP such that mellon establishes a new session? I've been reading some articles that give me some pause - some people talk about potentially having to embed a hidden iFrame on the page to handle the iDP response prior to redirecting to the destination URL.
I'am reading the 'Getting MEAN with mongo, express, angular and node' book made by Simon Holmes. I like it alot but i had a big question which doesn't Seems to be covered in the book, he is talking about rest-api through http request (i went a bit forward in the book and saw there was a login system) and that triggered me a bit isn't it risky to do everything in http. And my other question was when you load your rest api in Heroku (and all your website) are the request in https since they force https (i know it cause i couldnt load Google font due to me making the request in http)
isn't it risky to do everything in http
It's less secure. People can read any request in plain text.
when you load your rest api in Heroku (and all your website) are the
request in https
Whist you can use HTTP, you can make any request over HTTPS with no cost. When you upload your real app you will also want to configure your server to redirect to HTTPS too.
How to send https request to address https://www.googleapis.com/plus/v1/people/me from java script and most important how to get data from server?
I need it to identify users e-mail in my packaged chrome app.
Note that this would violate the same origin policy. Additionally, the whole point of HTTPS is so that the whole page (and request cycle) is secure.
The alternatives would be:
Make the request using JSONP, or
Set up a proxy: let your JS call your own server on the same origin,
which will in turn make an HTTPS request, or
Have an iframe which points to an HTTPS page (on your own server). This page should then be able to make Ajax requests to the server over HTTPS. Using the HTML5 postMessage API, you can then post a message back to the parent window.
I have a local html file in may desktop accessing a web api (JAX-RS) that responds with some JSON data. I enabled CORS and everything works fine, but only without SSL. How can I do to make it work with SSL? I use a self-signed certificate and can call this web api from a WPF application, but from a JavaScript application (standalone html file), when Chrome sends the OPTIONS pre-flight before the POST, the request seems not to even reach the server. I also tried to import the self-signed certificate in the browser, but nothing has changed.
The preflight request is not allowed to include an entity body or credentials. If you are using preflighted requests then you cannot use two way SSL.
The solution is to change the server to make the certificate optional. I've only done this using Apache HTTP server or Tomcat but I assume other servers are also capable of this.
In apache the setting should be changed to
SSLVerifyClient optional
and in Tomcat the SSL settings should be changed to
clientAuth="want"
Without this change only CORS simple requests will work.