Forum: Rails Spinoffs (closed, excessive spam) mixed http and https

mixed http and https
Posted by delphi_mark (Guest)
on 2008-06-25 10:00
(Received via mailing list) 
I am developing an online retauil site and want to send payment
details using SSL. I have an SSL certificater and I believe I have it
successfully installed on my server.

I have javascript functions to send and recieve every web action in my
isapi application. If I send the payment details using https I get a
Firefox error message as follows :-

Security Error: Content at http://www.mydomain.com/# may not load data
from
https://www.mydomain.com/video/video.dll/pay?vid=1....

The payment form is in a div inside the default page. Do I need to
send an http request and get a whole page back? I would have thought
the Prototype toolkit did support SSL.

Mark Horrocks
Edit | Move | Delete topic | Reply with quote
Re: mixed http and https
Posted by T.J. Crowder (Guest)
on 2008-06-25 10:19
(Received via mailing list) 
Hi Mark,

You're right, Prototype has no problem with SSL.  The issue you're
running into is that you're loading data from a different origin via
XHR, which is a no-no.  More here:

http://en.wikipedia.org/wiki/Same_origin_policy

...but basically, http://www.mydomain.com and https://www.mydomain.com
are *not* the same origin from a security standpoint.  So you'll need
to use SSL for most (possibly all, depending) of the content related
to the payments, not just some of it.

Hope this helps,
--
T.J. Crowder
tj / crowder software / com
Edit | Delete | Reply with quote
Re: mixed http and https
Posted by delphi_mark (Guest)
on 2008-06-25 14:00
(Received via mailing list) 
> to use SSL for most (possibly all, depending) of the content related
> to the payments, not just some of it.
>

Then if I just use http request (no prototype or javascript) to get a
response (just submit the form from its own action) and return a whole
page, would that work?
How can I solve this? I can't run my whole app under ssl.

Mark Horrocks
Edit | Delete | Reply with quote
Re: mixed http and https
Posted by delphi_mark (Guest)
on 2008-06-25 15:10
(Received via mailing list) 
I fixed this by just submitting my form in https withoput any
Javascript intervention. The page it returns then redirects to a non
secure page with a thank you message. Is this the best way to solve
this problem? Seems a bit of a klutz.

Mark Horrocks
Edit | Delete | Reply with quote
Re: mixed http and https
Posted by Frederick Polgardy (Guest)
on 2008-06-25 15:27
(Received via mailing list) 
What if you submitted the form from a hidden <iframe> and then have the
response call back into the main document?  That's how ajax file uploads 
are
implemented.

-Fred

On Wed, Jun 25, 2008 at 8:09 AM, delphi_mark <markhorrocks@yahoo.com> 
wrote:

>
> I fixed this by just submitting my form in https withoput any
> Javascript intervention. The page it returns then redirects to a non
> secure page with a thank you message. Is this the best way to solve
> this problem? Seems a bit of a klutz.


--
Science answers questions; philosophy questions answers.
Edit | Delete | Reply with quote
Enable email notification | Enable multi-page view
This topic is locked and can not be replied to.
Powered by RForum and Captchator. Contact information - E-Mail: webmaster (at) ruby-forum (dot) com.