Ajax.Request not working with HTTPS and self signed certificates
10,144 views
Skip to first unread message
Rick Avner
Jun 12, 2011, 4:00:01 AM6/12/11
to Prototype & script.aculo.us
Hi,
I have a HTML Application (HTA) using Ajax.Request to get information
from one of my LAMP based server. The requests were working fine
using HTTP. However, the requests are failing (responseText is blank)
when I use HTTPS. Server SSL is enabled using self signed
certificates.
Is there any way to ignore certificate warnings while using
Ajax.Request?
I know I should use CA certified certificates on my server. However
just wondering if there is any way for Ajax.Request to work with self
signed certificates.
I am using prototype.js version 1.5.
Thanks in advance.
I have a HTML Application (HTA) using Ajax.Request to get information
from one of my LAMP based server. The requests were working fine
using HTTP. However, the requests are failing (responseText is blank)
when I use HTTPS. Server SSL is enabled using self signed
certificates.
Is there any way to ignore certificate warnings while using
Ajax.Request?
I know I should use CA certified certificates on my server. However
just wondering if there is any way for Ajax.Request to work with self
signed certificates.
I am using prototype.js version 1.5.
Thanks in advance.
T.J. Crowder
Jun 12, 2011, 5:36:04 AM6/12/11
to Prototype & script.aculo.us
Hi,
I don't think it has anything to do with the certificate being self-
signed, just that it's https.
Are you trying to use https in an ajax call when the page has been
loaded via http? If so, you're running into the Same Origin Policy[1],
which forbids doing that. Ajax requests, by default, can only go to
the same origin as the document in which the script is running, and
the concept of an origin includes the protocol (http://example.com and
https://example.com are _different_ origins). More in the link.
If you're in control of the server, you have a couple of options:
1. Use JSON-P[2] instead of Ajax. JSON-P doesn't have an origin
restriction, but it can only use the GET method, not POST.
2. If you can rely on using a modern browser, you can use the new
CORS[3] standard. You can see a list of browsers and their support (or
lack thereof) for CORS here[4]. Unfortunately, CORS is only supported
by IE in IE8 and above, and that support requires extra work (whereas
every other browser vendor who supported it did so in a backward-
compatible way). Specifically, instead of using XMLHttpRequest (which
is what Ajax.Request uses), you have to use a completely new
XDomainRequest object instead. But again, only on IE. Note that using
CORS requires that you add support for it to the server, because you
have to handle a request from the browser asking if it's okay to send
the cross-origin request.
HTH,
--
T.J. Crowder
Independent Software Engineer
tj / crowder software / com
www / crowder software / com
[1] http://en.wikipedia.org/wiki/Same_origin_policy
[2] http://en.wikipedia.org/wiki/JSONP#JSONP
[3] http://www.w3.org/TR/access-control/
[4] http://caniuse.com/#search=cors
I don't think it has anything to do with the certificate being self-
signed, just that it's https.
Are you trying to use https in an ajax call when the page has been
loaded via http? If so, you're running into the Same Origin Policy[1],
which forbids doing that. Ajax requests, by default, can only go to
the same origin as the document in which the script is running, and
the concept of an origin includes the protocol (http://example.com and
https://example.com are _different_ origins). More in the link.
If you're in control of the server, you have a couple of options:
1. Use JSON-P[2] instead of Ajax. JSON-P doesn't have an origin
restriction, but it can only use the GET method, not POST.
2. If you can rely on using a modern browser, you can use the new
CORS[3] standard. You can see a list of browsers and their support (or
lack thereof) for CORS here[4]. Unfortunately, CORS is only supported
by IE in IE8 and above, and that support requires extra work (whereas
every other browser vendor who supported it did so in a backward-
compatible way). Specifically, instead of using XMLHttpRequest (which
is what Ajax.Request uses), you have to use a completely new
XDomainRequest object instead. But again, only on IE. Note that using
CORS requires that you add support for it to the server, because you
have to handle a request from the browser asking if it's okay to send
the cross-origin request.
HTH,
--
T.J. Crowder
Independent Software Engineer
tj / crowder software / com
www / crowder software / com
[1] http://en.wikipedia.org/wiki/Same_origin_policy
[2] http://en.wikipedia.org/wiki/JSONP#JSONP
[3] http://www.w3.org/TR/access-control/
[4] http://caniuse.com/#search=cors
T.J. Crowder
Jun 12, 2011, 6:05:08 AM6/12/11
to Prototype & script.aculo.us
Addendum:
> I am using prototype.js version 1.5.
Why? It's been out of date for more than three and a half years
(assuming you're talking about v1.5.1.2, which was superceded by
v1.6.0 in November 2007). That's a _long_ time in the browser-based
world.
-- T.J.
On Jun 12, 10:36 am, "T.J. Crowder" <t...@crowdersoftware.com> wrote:
> Hi,
>
> I don't think it has anything to do with the certificate being self-
> signed, just that it's https.
>
> Are you trying to use https in an ajax call when the page has been
> loaded via http? If so, you're running into the Same Origin Policy[1],
> which forbids doing that. Ajax requests, by default, can only go to
> the same origin as the document in which the script is running, and
> the concept of an origin includes the protocol (http://example.comandhttps://example.comare _different_ origins). More in the link.
> I am using prototype.js version 1.5.
(assuming you're talking about v1.5.1.2, which was superceded by
v1.6.0 in November 2007). That's a _long_ time in the browser-based
world.
-- T.J.
On Jun 12, 10:36 am, "T.J. Crowder" <t...@crowdersoftware.com> wrote:
> Hi,
>
> I don't think it has anything to do with the certificate being self-
> signed, just that it's https.
>
> Are you trying to use https in an ajax call when the page has been
> loaded via http? If so, you're running into the Same Origin Policy[1],
> which forbids doing that. Ajax requests, by default, can only go to
> the same origin as the document in which the script is running, and
Rick Avner
Jun 12, 2011, 2:17:47 PM6/12/11
to Prototype & script.aculo.us
Hi Crowder,
Thanks for the information.
As I said in my post, the Ajax.Request call are in a HTML Application
(HTA). Which is not a server page. It run on client machine using
mshta.exe and request data from server using ajax.
And I don't think the issue is due to "Same Origin Policy", as the
requests are working fine when server SSL is enabled using trusted
certificate.
The response is blank when server SSL is enabled using self signed
certificate. Any idea?
And yes, I should try with latest version of prototype.js.
Thanks
On Jun 12, 3:05 pm, "T.J. Crowder" <t...@crowdersoftware.com> wrote:
> Addendum:
>
> > I am using prototype.js version 1.5.
>
> Why? It's been out of date for more than three and a half years
> (assuming you're talking about v1.5.1.2, which was superceded by
> v1.6.0 in November 2007). That's a _long_ time in the browser-based
> world.
>
> -- T.J.
>
> On Jun 12, 10:36 am, "T.J. Crowder" <t...@crowdersoftware.com> wrote:
>
>
>
> > Hi,
>
> > I don't think it has anything to do with the certificate being self-
> > signed, just that it's https.
>
> > Are you trying to use https in an ajax call when the page has been
> > loaded via http? If so, you're running into the Same Origin Policy[1],
> > which forbids doing that. Ajax requests, by default, can only go to
> > the same origin as the document in which the script is running, and
> > the concept of an origin includes the protocol (http://example.comandhttps://example.comare_different_ origins). More in the link.
Thanks for the information.
As I said in my post, the Ajax.Request call are in a HTML Application
(HTA). Which is not a server page. It run on client machine using
mshta.exe and request data from server using ajax.
And I don't think the issue is due to "Same Origin Policy", as the
requests are working fine when server SSL is enabled using trusted
certificate.
The response is blank when server SSL is enabled using self signed
certificate. Any idea?
And yes, I should try with latest version of prototype.js.
Thanks
On Jun 12, 3:05 pm, "T.J. Crowder" <t...@crowdersoftware.com> wrote:
> Addendum:
>
> > I am using prototype.js version 1.5.
>
> Why? It's been out of date for more than three and a half years
> (assuming you're talking about v1.5.1.2, which was superceded by
> v1.6.0 in November 2007). That's a _long_ time in the browser-based
> world.
>
> -- T.J.
>
> On Jun 12, 10:36 am, "T.J. Crowder" <t...@crowdersoftware.com> wrote:
>
>
>
> > Hi,
>
> > I don't think it has anything to do with the certificate being self-
> > signed, just that it's https.
>
> > Are you trying to use https in an ajax call when the page has been
> > loaded via http? If so, you're running into the Same Origin Policy[1],
> > which forbids doing that. Ajax requests, by default, can only go to
> > the same origin as the document in which the script is running, and
T.J. Crowder
Jun 12, 2011, 6:28:30 PM6/12/11
to Prototype & script.aculo.us
Hi,
> As I said in my post, the Ajax.Request call are in a HTML Application
> (HTA). Which is not a server page. It run on client machine using
> mshta.exe and request data from server using ajax.
Ah, sorry. Probably not safe to assume everyone knows what you mean by
"HTA". I've seen any number of acronyms people have created ad hoc to
make their web apps sound cool, I have to assume I put your use of
"HTA" in that category, not being familiar with that specific
Microsoft-centric technology.
> And I don't think the issue is due to "Same Origin Policy", as the
> requests are working fine when server SSL is enabled using trusted
> certificate.
In that case, it's a question for Microsoft. Prototype isn't involved
in the certificate chain process at all. It just does the request and
reads the response via XMLHttpRequest. The certificate stuff is
handled by the user agent (e.g., mshta.exe).
> > > the concept of an origin includes the protocol (http://example.comandhttps://example.comare_different_origins). More in the link.
> As I said in my post, the Ajax.Request call are in a HTML Application
> (HTA). Which is not a server page. It run on client machine using
> mshta.exe and request data from server using ajax.
"HTA". I've seen any number of acronyms people have created ad hoc to
make their web apps sound cool, I have to assume I put your use of
"HTA" in that category, not being familiar with that specific
Microsoft-centric technology.
> And I don't think the issue is due to "Same Origin Policy", as the
> requests are working fine when server SSL is enabled using trusted
> certificate.
in the certificate chain process at all. It just does the request and
reads the response via XMLHttpRequest. The certificate stuff is
handled by the user agent (e.g., mshta.exe).
--
T.J. Crowder
Independent Software Engineer
tj / crowder software / com
www / crowder software / com
T.J. Crowder
Independent Software Engineer
tj / crowder software / com
www / crowder software / com
Phil Petree
Jun 12, 2011, 8:17:48 PM6/12/11
to prototype-s...@googlegroups.com
Hate to butt in here but did try setting an alert(ajax.transport.responseText) right after your ajax call?
--
You received this message because you are subscribed to the Google Groups "Prototype & script.aculo.us" group.
To post to this group, send email to prototype-s...@googlegroups.com.
To unsubscribe from this group, send email to prototype-scripta...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/prototype-scriptaculous?hl=en.
Reply all
Reply to author
Forward
0 new messages