CODEWITHSUNDEEP
javascripthttpsxmlhttprequestcryptojs
Jesse Reza Khorasanee
Jesse Reza Khorasanee

Reputation: 3481

Does a XMLHTTP POST request to an HTTPS address use any encryption?

If we use javascript's http request function:

var request = new XMLHttpRequest();

to an https address, will this use any type of encryption or will a MITM be able to see all data we send?

Example:

function createAuthToken(baseRestURL, callback) {
    var APIPath = "account/api/session";
    var CORSPath = "https://cors-anywhere.herokuapp.com/";
    var completeRestURL = CORSPath + baseRestURL + APIPath;
    console.log("REST API URL: " + completeRestURL);

    var method = "POST";
    var postData = "{\"tokenId\": \"" + document.getElementById('api_key').value + "\",\"secret\": \"" + document.getElementById('secret').value + "\",\"loginMode\": 1,\"applicationType\": 35}";
    var async = true;
    var request = new XMLHttpRequest();
    request.onreadystatechange = function() {
        if (request.readyState == 4 && (request.status == 200 || request.status == 201)) {
            console.log("ONLOAD");
            var status = request.status; // HTTP response status, e.g., 200 for "200 OK"
            console.log(status);
            var response = JSON.parse(request.responseText);
            console.log(response.session_token);       
            return callback(response.session_token);

        }

    }
    request.open(method, completRestURL, async);
    request.setRequestHeader("Content-Type", "application/json");
    request.setRequestHeader("Accept", "application/json");
    request.send(postData);

Follow up question: If not, is there a way to include encryption in our client side javascript that is safe? My thoughts was to use a webisite's public key to encrypt the request before sending it to the server but I can't find anyone else attempting client side encryption.

Rough example:

enter image description here

var CryptoJS = require("crypto-js");
var stackOverflowKey = "30 82 01 0a 02 82 01..."
var postData = "{\"tokenId\": \"" + document.getElementById('api_key').value + "\",\"secret\": \"" + document.getElementById('secret').value + "\",\"loginMode\": 1,\"applicationType\": 35}";
var encryptedPostData = cryptoJS.hmacSHA256(postData, stackOverflowKey)

//let's skip the callback and request headers as they are the same as above

var request = new XMLHttpRequest();
request.open();
request.send(encryptedPostData);

I didn't study computer science and couldn't find anything online about this. What are the generally accepted ways of doing this?

Upvotes: 0

Views: 2286

Answers (1)

Patrick Evans
Patrick Evans

Reputation: 42746

The HTTP in XMLHttpRequest, as is the XML part, is just a left over naming scheme. As the requests used can include more than just http protocol urls, and receive more than just an XML response body.

For instance the initial W3C working drafts introduced the XMLHttpRequest object by saying:

https://www.w3.org/TR/2006/WD-XMLHttpRequest-20060927/#introduction

The name of the object is XMLHttpRequest for compatibility with the web as it doesn't make much sense otherwise. It supports the transport of other data formats in addition to XML, some implementations support other protocols besides HTTP (that functionality is not covered in this specification though) and the API supports sending data as well.

Note the "some implementations" as this is a working draft back in 2006 so not everyone was using the same implementation.

The current whatwg spec for XMLHttpRequest has this to say about the name:

https://xhr.spec.whatwg.org/#introduction

The name XMLHttpRequest is historical and has no bearing on its functionality.

So as long as the browser being used implements the XMLHttpRequest according to specs, the request/response will be treated as it would normally by the browser, ie encrypted for https.

Upvotes: 2

Related Questions