Reputation: 3082
Is there any issue making HTTP AJAX calls from an HTTPS page?
I know almost all browsers block HTTPS calls from non-secure pages, but what about the other way around? I am interested in using a free geolocation API that doesn't support HTTPS for the free plans.
Is there anything wrong with making non-secure AJAX calls from an HTTPS page? Will this produce any kind of browser errors?
Upvotes: 0
Views: 330
Answers (1)
Reputation: 2230
When you have mixed-security content on your page, it is dangerous, as that allows unsecured content to be tampered (which could then modify your secure content). For example, I could modify a script loaded over non-secure HTTP to do something nasty (like send all user data via AJAX) via a MITM attack. It's much harder to do this over HTTPS, as everything's encrypted.
Similarly, the content you send and receive from your AJAX request is transferred over a non-secure connection, so it could be tampered. Its danger depends on what you do with the response, but always use HTTPS when possible. It probably wouldn't matter if, say, you were getting the scores of a sports game provided you properly escape and sanitise the data, but if you were sending the username and password of an account, then...
Upvotes: 2
Related Questions
- Why is it common to put CSRF prevention tokens in cookies?
- “Origin null is not allowed by Access-Control-Allow-Origin” error for request made by application running from a file:// URL
- HTTP Cookies and Ajax requests over HTTPS
- Request Monitoring in Chrome
- Using HTTP API from HTTPS page
- JavaScript cross-domain call: call from HTTP to HTTPS
- Ajax call is falling to http, despite being on https page
- How to redirect from HTTPS to HTTP without annoying error messages