How can I send an ajax GET request over HTTPS?
$.get throws this:
XMLHttpRequest cannot load https://********. Origin null is not allowed by Access-Control-Allow-Origin.
Is there another way or some workaround to get this working?
If I navigate to the url with Chrome I'm able to get the response. I see no reason why it shouldn't work work over an ajax request.
You cannot make an AJAX request to an https page if you are currently in http because of the Same Origin Policy.
The host, port and scheme (protocol) must be the same in order for the AJAX request to work.
You can either make sure that the originating page is on the same host and scheme or implement CORS (cross-origin resource sharing) on the target domain to permit this particular request.
[jQuery v. 3.3.1]
I have a web application, where all resources and traffic are via HTTPS.
Yet, I found that I can't send $.ajax() or any of the specific $.get, $.post, etc. due to (Chrome output):
Refused to connect to 'http://mywebapp/api/mycall' because it violates the following Content Security Policy directive: "connect-src 'self'".
It was due to the HTTPS page making the AJAX requests through HTTP and I found no way to force HTTPS.
What is crazy is what fixed it. Calling $.get('/api/mycall/') outputs the above error with "Refused to connect to 'http://mywebapp/api/mycall'", which omits the ending forward slash in the actual call in the code. So from the error it looks as if the forward slash wasn't there.
I have done multiple calls and every single one fails when there is an ending slash in the url being called. The same ones all succeed without one.
So calling $.ajax({ url: '/api/mycall'}) works, whilst $.ajax({ url: '/api/mycall/'}) doesn't.
Related
I have a website based on HTTPS, and I have a JS code the get data from a website based on HTTP. I get an error that the HTTP server is not trusted.
While the same code works on HTTP to HTTP. But not on HTTP to HTTPS.
This is the error:
Mixed Content: The page at 'https://www.33k.com/player/playerudan.php' was loaded over HTTPS, but requested an insecure script 'http://33k.thepuremix.net/json.xsl'. This request has been blocked; the content must be served over HTTPS.
For getting this data I use something like the following code:
var URL = "http://33k.thepuremix.net/json.xsl"
$.getJSON( URL, function( data) {
console.log( data );
});
Any idea how to fix it or make it working. Is there such a Crossdomain.xml on Icecast that I can give configure or anything else to fix it?
UPDATE:
The above links are two different websites. It is not a sub-domain matter. The links just look alike a bit. Domain A(HTTPS) wants to get JSON from domain B (HTTP).
Calling HTTP from HTTPS is blocked by design as #RoryMcCrossan mentioned in the comments (Same Origin Policy), you can either move your script from HTTP to HTTPS or make a backend script (in PHP for example) and call HTTP from it like:
JavaScript(HTTPS) -> PHP(HTTPS) -> PHP(HTTP)
JavaScript(HTTPS) <- PHP(HTTPS) <- PHP(HTTP)
Reference to creating a http request in PHP: Http Request in PHP
Here's also some info about Same Origin Policy
I'm trying to get the current time from http://timeapi.org/utc/now.json. I'm using the following:
var date;
$.ajax({
dataType: 'jsonp',
url: 'http://timeapi.org/utc/now.json',
success: function (result) {
date = result.dateString;
}
});
The URL is only available as HTTP, but I'm calling it from an HTTPS site. This leads to the error:
'https://myurl.com' was loaded over HTTPS, but requested an insecure script 'http://timeapi.org/utc/now.json?callback=jQuery1122020058229618158618_1466258121249'. This request has been blocked; the content must be served over HTTPS.
The timeapi website does not actually exist as https, so changing the URL to https leads to a new error: http://timeapi.org/utc/now.json
How can I force it to load? There do not seem to be any https web time services, but I imagine there has to be a way in which people on https sites are using external time-keeping services as well.
You can't.
From HTTPS, only HTTPS. From HTTP you can call HTTP and HTTPS.
What you could do is to create an https wrapper (in php or node) in your own webserver and retrieve the value from timeapi.org from there.
Something like this:
<?php
header('Content-Type: application/json');
echo(file_get_contents('http://timeapi.org/utc/now.json'));
You can't make http requests from an https.
It is restricted by same origin policy
The same-origin policy is a critical security mechanism that restricts how a document or script loaded from one origin can interact with a resource from another origin. It helps isolate potentially malicious documents, reducing possible attack vectors.
I'm using JQuery:
$('#myDiv').load('myApp/url',function(){ });
and it's giving No 'Access-Control-Allow-Origin' header is present on the requested resource By chrome, and firefox so far , any straight forward answer on how to fix this . I don't have control over server to make any configurations and I'm using PHP
This is a CORS issue (Cross Origin Resource Sharing), you are trying to request content via ajax from two different domains. Unless the domain from where you want to grab the data has properly set the CORS headers, browsers will cancel the request right away.
This occurs due to the communication between two different domains. The domain that will server your data, should have some headers set, this headers act as permissions, they tell which domains are allowed to ask for data from it, and which verbs/methods are allowed.
You can read more about this here and here
No, there won't be a straight forward answer to this because it will depend entirely on your system/server setup, and what you have access to. Here's what you need to know.
In the beginning -- AJAX requests had a very strict "same origin" policy. This meant if you made an ajax request FROM a website with the domain example.com, you could only make a request to a URL that was on example.com.
In more recent years browsers have loosened up on this. If the server that you're making a request to has an Access-Control-Allow-Origin header, and that header includes the URL/domain of the server you're making the request from, then the request will be allowed. Similar question/answer here.
So, how you set this header depends on the server you're making a request to. If you have control over this server, start your Googling there.
If you don't have control over this server, you need to make a request to php page on your server, and this PHP page should make a curl request to the server that had the information you don't. A curl request, happening outside the browser, isn't subject to the same cross domain issues.
The easy way is to do this by hand:
var script = document.createElement('script');
script.src = uri;
script.id = 'scriptid';
document.head.appendChild(script);
It may be some browser compatibility issues, but you get the power of CORS with no 'Access-Control-Allow-Origin' error
I am trying to get the register numbers of the people who scored 'S' in a certain subject from a website from the localhost.
But i am getting this error
XMLHttpRequest cannot load http://sas.sastra.edu/result2013/index.php. Origin http://localhost is not allowed by Access-Control-Allow-Origin
for(i=115003001;i<115003230;i++)
{
$.post("http://sas.sastra.edu/result2013/index.php",{regno:i},function(data,textstatus,obj){
if($(data).find('tbody tr:nth-child(2) td:nth-child(2)').text().slice(60,62)=="S")
{
console.warn(i);
}
},{dataType:"HTML"});
}
Please Comment if i am not clear.
Simply said http://sas.sastra.edu does not allow you to make a cross domain httprequest.
Ajax requests are limited by the browser's Same Origin Policy. This means that you can't talk directly to a server via ajax that isn't on the same domain as the page your script is running in. So, unless you're developing a page for google.com, you can't talk to google.com directly httprequest.
Making Either make sure they though or try doing a JSONP call is probably what you need to do here if the API you're attempting to use supports it.
Read more about jsonp here: What is JSONP all about?
I by chrome->Inspect element->console get this error:
XMLHttpRequest cannot load. Origin is not allowed by
Access-Control-Allow-Origin.
What is this resolved?
You cannot issue requests through the XMLHttpRequest to other domains or subdomains.
If you are issuing the request from www.foo.com you also need to target the request at www.foo.com and not leave out the www.
If you really need to hit another domain you can use JsonP where the browser utilizes the <script> tags ability to load scripts from a different domain. The loaded script then executes a callback function to give you the data. But for regular AJAX calls you cannot leave the source domain at all.
See the Wiki article on Same Origin Policy
one work around is using Korz which routes all cross origin requests through a third party and sets Access-Control-Allow-Origin header to '*' so the request goes through.
I recommend you to read this:
http://www.fbloggs.com/2010/07/09/how-to-access-cross-domain-data-with-ajax-using-jsonp-jquery-and-php/
It is very wel explained... the whole point is that you need to return your JSON in a callback-function way