从HTTP到HTTPS的跨域请求会立即中止 [英] Cross domain request from HTTP to HTTPS aborts immediately

问题描述

我尝试将跨网域服务调用从HTTP网页调用到HTTPS服务。

我已在服务器上设置了正确的CORS标头它会使用HTTP-HTTP和HTTPS-HTTPS）。

如果我将请求更改为JSONp，则 b
$ b

我在Chrome和Firefox中看到的是，HTTPS请求是从不发送，它立即被中止，服务器从不会看到请求。

值得注意的是，预检 OPTIONS 请求被中止（并且不到达服务器）。

我找不到任何解释这确实不可能（HTTP到HTTPS），但更好的来源：解释为什么。我可以理解HTTPS到HTTP是不安全的，但是周围的方法应该罚款吧？

$ b

我还有 withCredentials 设置为 true ，我发送一些自定义标题和自定义 Content-Type ： application / json

XMLHTTPRequest回退到JSONp for IE <= 9

解决方案

好吧，我想出来了。我用于HTTPS域的证书是自签名和未验证的。

您可以通过IE在Windows 7中安装证书。这对我有用：
http://productforums.google .com / forum /＃！topic / chrome / bds-Ao9LigA％5B1-25％5D
由
确保以管理员身份运行IE（9） ，否则安装将失败，即使它表示安装正确。

1. 打开Internet Explorer（IE）并导航到托管自签名证书的网站。


2. IE应显示一个网页警告，指出此网站的安全证书有问题。


3. 点击网站（不推荐）链接。


4. 加载网页后，请查看网址列右侧。标有证书错误的红色/粉色按钮应该可见。单击
   该按钮。


5. 将出现一个名为不受信任的证书的弹出式窗口。点击弹出窗口底部的查看证书链接。


6. 将显示另一个名为证书的弹出式窗口。单击安装证书...按钮。


7. 将启动证书导入向导。点击下一步按钮。


8. **对于XP：a。保持选中自动选择证书...选项，然后单击下一步按钮。 **对于Vista：a。
   选择将所有证书放入以下存储选项，然后单击
   单击浏览按钮。 b。点击显示物理商店
   复选框。 C。展开第三方根证书
   Authorities文件夹，然后选择本地计算机。点击确定
   按钮。 d。点击下一步按钮。


9. 这将显示完成证书导入向导对话框。单击完成按钮。


10. 将出现安全警告弹出窗口。警告通知您证书的来源实际上不能验证。你
    应该知道证书来自哪里。如果是这样，请单击
    是按钮安装证书。


11. 最终弹出式窗口会通知您，导入成功将显示。点击确定按钮。


12. 重新启动/打开Chrome，然后导航到相关网站。
    不会被安全警告页面打扰。

Aside从这，我想我可能已经发现了一个在Chrome中的错误。请参阅：
https://code.google.com/p/chromium/issues/ detail？id = 141839

I'm trying to make Cross-Domain webservice calls from an HTTP page to an HTTPS service.

I have set up the proper CORS headers on the server (it works with HTTP-HTTP and HTTPS-HTTPS).

It does work if I change the requests to JSONp.

What I'm seeing in Chrome and Firefox is the HTTPS request is never sent, it's immediately aborted, and the server never sees the request.

It is worth noting that the preflight OPTIONS request is aborted (and it doesn't reach the server).

I can't find any source that explains that this is indeed not possible (HTTP to HTTPS) and better yet: explains why. I can understand HTTPS to HTTP is unsafe, but the othe way around should be fine right? It seems silly to me because JSONp works (but it's messy).

notes

I also have withCredentials set to true and I'm sending some custom headers and a custom Content-Type: application/json

I'm using the regular XMLHTTPRequest with fallbacks to JSONp for IE<=9

解决方案

Ok, I figured it out. The certificate I'm using for the HTTPS domain is self-signed and unverified. Adding it to the list of trusted third-party authorities fixed it for me.

You can install the certificate in Windows 7 through IE. This worked for me: http://productforums.google.com/forum/#!topic/chrome/bds-Ao9LigA%5B1-25%5D post by zacharysyoung 2/11/09 Make sure you run IE(9) as administrator or the install will fail even-though it says it installed it correctly.

1. Open Internet Explorer (IE) and navigate to the site hosting the self-signed certificate.
2. IE should display a page warning that, 'There is a problem with this web site's security certificate.'
3. Click the, 'Continue to this website (not recommended)' link.
4. Once the page has loaded, look to the right of the address bar. A red/pink button, labeled 'Certificate Error,' should be visible. Click that button.
5. A pop-up, titled 'Untrusted Certificate,' will appear. Click the 'View certificates' link at the bottom of the pop-up.
6. Another pop-up, titled 'Certificate,' will appear. Click the 'Install Certificate...' button.
7. The 'Certificate Import Wizard' will be started. Click the 'Next' button.
8. ** For XP: a. Leave 'Automatically select the certificate...' option selected, and click the 'Next' button. ** For Vista: a. Choose 'Place all certificates in the following store' option, and click the 'Browse' button. b. Click the 'Show physica stores' checkbox. c. Expand the 'Third-Party Root Certification Authorities' folder, and choose 'Local Computer'. Click the 'OK' button. d. Click the 'Next' button.
9. This should display the 'Completing the Certificate Import Wizard' dialog. Click the 'Finish' button.
10. A 'Security Warning' pop-up will appear. The warning is informing you that the certificate's origin cannot actually be validated. You should know where the certificate is coming from. If you do, click the 'Yes' button to install the certificate.
11. A final pop-up informing you that, 'The import was successful,' will be displayed. Click the 'OK' button.
12. Restart/Open Chrome and navigate to the site in question. You should not be greeted by the security warning page.

Aside from that, I think I may have discovered a bug in Chrome. See: https://code.google.com/p/chromium/issues/detail?id=141839

这篇关于从HTTP到HTTPS的跨域请求会立即中止的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！