Same domain JSON from HTTP to HTTPS

Question

I have a login link on a non-secure page that triggers a JSON post using jQuery. The post goes to the same domain but using a secure URL. My understanding of JSON is that it does allow cross-domain actions like this, but maybe this is a limitation.

When I run the script I get the following javascript error:

XMLHttpRequest cannot load https://.... Origin http://.... is not allowed by Access-Control-Allow-Origin.

I'm using the following code, nothing too complicated:

// postURL is something like https://example...
// postData is data to be transmitted
$.getJSON( postURL, postData + "&json=1", function(data) {
    // no error checking yet, just proceed to resultURL
    if ( true ) { window.location = resultURL; }
});

I've verified that if I load my source page securely the post works perfectly, so the only problem is the https difference.

There are a half dozen or so similar questions to mine on SO but none have an answer that works in my situation. Maybe this is just a limitation that can't be worked around?

Answer 1

As mentioned in the comments, you are trying to make a Cross Origin (CORS) XMLHttpRequest. This is because URI Scheme is defined as part of the origin of a request. This is possible, but requires both the client and server to pass certain headers between each other to validate that the connection is allowed.

The error you're getting means that your server does not send the correct response headers for you to be able to make CORS XMLHttpRequests to it. For info on the headers you need see the W3C spec. For more practical information on support in most browsers see this article.

Using jQuery, if your server supports it, you can make a CORS request by using the ajax function directly instead of calling it using getJSON.

Another option is changing to using JSONP and script tag injection, although this will still give security errors in some browsers depending on settings.