I am writing a 'Content Script' based extension for Chrome that works on GMail (HTTPS). It needs to access a web service on our website, which is currently on HTTP only. Other than getting an SSL, is there any alternative to get an AJAX GET/POST call working between these two?
I think you can : https://developer.chrome.com/extensions/xhr
But be aware that without https someone can see and change everything your extension send or receive with your website.
You should implement https as soon as possible to avoid any security issue.
Related
I have a Flutter Web application that I have deployed on Firebase Hosting.
I have a Django backend that I have deployed on an EC2 instance and is running on http.
I have CORS enabled in the backend, tried accessing endpoints via browsers and it works just fine.
But, when I try to make the same call using FlutterWeb, it fails.
And error type of blocked:mixed content appears. (See image below)
I want to call those HTTP endpoints and I don't want an SSL certificate mess because this is just a college project. How do I fix this?
I am using Dio on Flutter Web to make requests. What would be causing this problem?
EDIT:
I am using Firebase's spark plan, obviously since it's a college project. Do I need to upgrade to the blaze plan to enable Egress traffic? If so, how do I make sure that I won't be heavily charged? Any suggestions? UPDATE: I tried the blaze plan and got the same issue.
The console says
Mixed Content: The page at
'https://xxx.web.app/' was loaded over HTTPS, but
requested an insecure XMLHttpRequest endpoint
'http://xxxx.compute-1.amazonaws.com:8000/menu'. This
request has been blocked; the content must be served over HTTPS.
Any way to bypass this?
I have a webservice which is hosted on api server and application on app server which have url's like https://webservice.test.com/ for webservice server and https://app.test.com/ for application.
In application we get live data from database using several service we developed on webservice server using CORS http request.
In some service like login we have passed custom header x-auth-token from server.
Above is the screen shot of response we have got in Google Chrome for the request. The Custom header shown in last is available in application when we use it in chrome or Mozilla. The same response we got in Safari too, x-auth-token also available in response when we check in headers but can't able to read it through code.
Finally, after a lot of search i got answer for my problem, Custom headers from CORS http request can be read only in Safari for latest webkit version i.e above 537. I have checked in all safari browser which is above this webkit version will provide me cusom header value. And similarly in chrome if webkit is less than 537 version you can't able to read it.
Maybe this answer on github could helpa bit : https://github.com/angular/angular.js/issues/6254
I work on a project which make ajax query to a webservice so I use fiddler to see JSON responses.
But I have encounter troubles using Fiddler. When I launch it on my laptop, Dropbox can't synchronize my files anymore but I can debug my ajax requests. The real problem is when I use Fiddler on my desktop computer, all my requests to my WebService are blocked. My WebService runs on localhost.
I don't understand how it works, can you help me?
Dropbox connections don't work because that application uses a feature called "Certificate Pinning" that reject's Fiddler's HTTPS interception certificate. Why this happens is discussed in the Fiddler book, but you can configure Fiddler not to decrypt dropbox.exe's connections which resolves the issue.
To avoid blocking DropBox App traffic while Fiddler is running, you can use Tools > Fiddler Options > HTTPS to either only decrypt Browser traffic or you can configure Fiddler not to decrypt traffic to *.dropbox.com.
The issue with your "WebService" is almost certainly completely unrelated. You need to be far more specific for anyone to help: What is the client? What is the service written in? What do you see in Fiddler when this happens?
I have an ASPX page. When the page is loaded there is code in the code behind that uses an API. The API makes an HTTPS call out to a third party, commercial web service. I am trying to troubleshoot why the API calls are not working properly. Apparently the API actually constructs an XML request that is sent out over HTTPS to the web service. I've been told by the support rep that I need to provide them with the XML that is being sent. The only way I can figure out how to get the XML is to use a tool like Fiddler to see what is being sent out. So how can I use Fiddler to see the contents of the XML request that is being sent from the server out to the web service? I am running everything directly on the server but all I am seeing is the GET request for the ASPX file itself. I am not seeing anything in relation to the HTTPS request that the server code is sending out to the web service. I have not used Fiddler much so I am hoping that maybe I just don't have it set up right to monitor that traffic.
Corey
After mucking around with it a bit I found this post: Why isn't fiddler capturing request when invoking XMLRPC from iis?. That seemed to do the trick! Basically it sounds like the default proxy settings in Win7 are on a per user basis. So I went in and changed the identity of the AppPool for my site to a local user (Administrator) and then it worked great. I started up Fiddler. Then I started up my ASP.NET app and then when I loaded the page I saw the request that went out to the web service from my code behind! Yay!
I have created an Axis2 web service from Netbeans and deployed it successfully in Tomcat 6 on my web server.
When I use for instance SoapUI or Taverna to consume the web service, the server offers both HTTP and HTTPS methods to invoke it. However, using the HTTPS method renders a 404 error. (Probably because there is a server admin panel running on port 8443, but that doesn't matter right now.)
The problem is that my web service clients default to using the HTTPS service. I figured the simplest thing I could do to get the basic service to work, would be to disable the HTTPS endpoint, as the HTTP version runs flawlessly and I don't need the added security. But now I've spent hours on finding out how to do that, without success. The WSDL returned by Axis2 contains entries for HttpsSoap11Endpoint but the WSDL that's bundled in my .AAR file after the build does not.
Does anybody know how to make Axis2 offer just HTTP endpoints?
In axis2.xml, comment out the https transport receiver to disable the HTTPS endpoint.