从 HTTP 到 HTTPS 的跨域请求立即中止 [英] Cross domain request from HTTP to HTTPS aborts immediately

问题描述

我正在尝试从 HTTP 页面到 HTTPS 服务进行跨域网络服务调用.

我已经在服务器上设置了正确的 CORS 标头(它适用于 HTTP-HTTP 和 HTTPS-HTTPS).

如果我将请求更改为 JSONp，它确实有效.

我在 Chrome 和 Firefox 中看到的是 HTTPS 请求从未发送，它立即中止，并且服务器从未看到该请求.

值得注意的是，预检OPTIONS 请求被中止(并且它没有到达服务器).

我找不到任何来源来解释这确实是不可能的(HTTP 到 HTTPS)并且更好:解释为什么.我可以理解 HTTPS 到 HTTP 是不安全的，但其他方式应该没问题吧?对我来说这似乎很愚蠢，因为 JSONp 可以工作(但它很乱).

备注

我还将 withCredentials 设置为 true 并且我正在发送一些自定义标头和自定义 Content-Type:application/json

我正在使用常规 XMLHTTPRequest 并回退到 IE<=9

解决方案

好的，我想通了.我用于 HTTPS 域的证书是自签名的且未经验证.将其添加到受信任的第三方机构列表中，我已为我修复了该问题.

您可以通过 IE 在 Windows 7 中安装证书.这对我有用:http://productforums.google.com/forum/#!topic/chrome/bds-Ao9LigA%5B1-25%5D发布者 zacharysyoung 2/11/09确保您以管理员身份运行 IE(9) 否则安装将失败 - 即使它说它安装正确.

<块引用>

1. 打开 Internet Explorer (IE) 并导航到托管自签名证书的站点.
2. IE 应该显示一个页面警告:此网站的安全证书有问题."
3. 点击继续访问此网站(不推荐)"链接.
4. 页面加载后，查看地址栏的右侧.标有证书错误"的红色/粉红色按钮应该是可见的.点击那个按钮.
5. 将出现一个名为不受信任的证书"的弹出窗口.单击弹出窗口底部的查看证书"链接.
6. 将出现另一个标题为证书"的弹出窗口.单击安装证书..."按钮.
7. 证书导入向导"将启动.单击下一步"按钮.
8. ** 对于 XP:保持自动选择证书..."选项处于选中状态，然后单击下一步"按钮.** 对于 Vista:选择将所有证书放入以下存储区"选项，然后单击浏览"按钮.湾单击显示物理商店"复选框.C.扩展第三方根认证"Authorities 文件夹，然后选择本地计算机".单击确定"按钮.d.单击下一步"按钮.
9. 这应该会显示正在完成证书导入向导"对话框.单击完成"按钮.
10. 将出现安全警告"弹出窗口.该警告通知您实际上无法验证证书的来源.你应该知道证书是从哪里来的.如果这样做，请单击是"按钮安装证书.
11. 将显示最后一个弹出窗口，通知您导入成功".单击确定"按钮.
12. 重新启动/打开 Chrome 并导航到相关网站.您不应该看到安全警告页面.

除此之外，我想我可能在 Chrome 中发现了一个错误.看:https://code.google.com/p/chromium/issues/detail?id=141839

I'm trying to make Cross-Domain webservice calls from an HTTP page to an HTTPS service.

I have set up the proper CORS headers on the server (it works with HTTP-HTTP and HTTPS-HTTPS).

It does work if I change the requests to JSONp.

What I'm seeing in Chrome and Firefox is the HTTPS request is never sent, it's immediately aborted, and the server never sees the request.

It is worth noting that the preflight OPTIONS request is aborted (and it doesn't reach the server).

I can't find any source that explains that this is indeed not possible (HTTP to HTTPS) and better yet: explains why. I can understand HTTPS to HTTP is unsafe, but the othe way around should be fine right? It seems silly to me because JSONp works (but it's messy).

notes

I also have withCredentials set to true and I'm sending some custom headers and a custom Content-Type: application/json

I'm using the regular XMLHTTPRequest with fallbacks to JSONp for IE<=9

解决方案

Ok, I figured it out. The certificate I'm using for the HTTPS domain is self-signed and unverified. Adding it to the list of trusted third-party authorities fixed it for me.

You can install the certificate in Windows 7 through IE. This worked for me: http://productforums.google.com/forum/#!topic/chrome/bds-Ao9LigA%5B1-25%5D post by zacharysyoung 2/11/09 Make sure you run IE(9) as administrator or the install will fail even-though it says it installed it correctly.

1. Open Internet Explorer (IE) and navigate to the site hosting the self-signed certificate.
2. IE should display a page warning that, 'There is a problem with this web site's security certificate.'
3. Click the, 'Continue to this website (not recommended)' link.
4. Once the page has loaded, look to the right of the address bar. A red/pink button, labeled 'Certificate Error,' should be visible. Click that button.
5. A pop-up, titled 'Untrusted Certificate,' will appear. Click the 'View certificates' link at the bottom of the pop-up.
6. Another pop-up, titled 'Certificate,' will appear. Click the 'Install Certificate...' button.
7. The 'Certificate Import Wizard' will be started. Click the 'Next' button.
8. ** For XP: a. Leave 'Automatically select the certificate...' option selected, and click the 'Next' button. ** For Vista: a. Choose 'Place all certificates in the following store' option, and click the 'Browse' button. b. Click the 'Show physica stores' checkbox. c. Expand the 'Third-Party Root Certification Authorities' folder, and choose 'Local Computer'. Click the 'OK' button. d. Click the 'Next' button.
9. This should display the 'Completing the Certificate Import Wizard' dialog. Click the 'Finish' button.
10. A 'Security Warning' pop-up will appear. The warning is informing you that the certificate's origin cannot actually be validated. You should know where the certificate is coming from. If you do, click the 'Yes' button to install the certificate.
11. A final pop-up informing you that, 'The import was successful,' will be displayed. Click the 'OK' button.
12. Restart/Open Chrome and navigate to the site in question. You should not be greeted by the security warning page.

Aside from that, I think I may have discovered a bug in Chrome. See: https://code.google.com/p/chromium/issues/detail?id=141839

这篇关于从 HTTP 到 HTTPS 的跨域请求立即中止的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！