I have this bit of java script that is just grabbing an ID off a website and passing it to another php script on a seperate domain:
javascript is on:
and is going to
This was more or less working, I had to work a previous cross site solution that now seems not to be honored on firefox 23 and IE10.
The previous solution was using something like this:
var isIE10 = false; //this is beacuse stupid IE10 now does not work with the window.XDomainRequest
/*@cc_on
if (/^10/.test(@_jscript_version)) {
isIE10 = true;
}
@*/
console.log(isIE10);
var isIE8 = window.XDomainRequest ? true : false;
var invocation=createCrossDomainRequest();
function createCrossDomainRequest(url, handler)
{
var request;
if ((isIE8) && (!isIE10)) //tried to hack my own isIE10 fix didnt work
{
request = new window.XDomainRequest();
}
else
{
request = new XMLHttpRequest();
}
return request;
}
function callOtherDomain()
{
if (invocation)
{
if("withCredentials" in invocation) //was taking a stab in the dark with this.
{
invocation.onload=outputResult;
invocation.open("GET", url, true);
invocation.send();
}
else if(isIE8)
{
invocation.onload = outputResult;
invocation.open("GET", url, true);
invocation.send();
}
else
{
invocation.open('GET', url, true);
invocation.onreadystatechange = handler;
invocation.send();
}
}
else
{
var text = "No Invocation TookPlace At All";
var textNode = document.createTextNode(text);
var textDiv = document.getElementById("textDiv");
textDiv.appendChild(textNode);
}
}
function handler(evtXHR)
{
if (invocation.readyState == 4)
{
if (invocation.status == 200)
{
outputResult();
}
else
{
alert("Invocation Errors Occured " + invocation.status + " state: " + invocation.readyState);
}
}
}
function outputResult()
{
var response = invocation.responseText;
//get JSON of response
var obj = JSON.parse(response);
var mtype = obj.messagetype;
var output = obj.message;
var url = obj.url;
if(mtype=="error")
{
parent.location=url;
}
else if(mtype=="warning")
{
var answer=confirm(output);
if(answer)
parent.location=url;
}
//var textDiv = document.getElementById("textDiv");
//textDiv.innerHTML += response;
}
callOtherDomain(); So I am not sure what is going on here, I get on firefox 23 an error in the console:
Blocked loading mixed active content "http://theotherwebsite.edu"
I know this is because the main script is loaded on https, vs http. But it was not caring before. I also am aware of this error puts a shield up in the address bar of firefox where the user can tell it to enable the blocked content. This is not an acceptable solution for me. Also if i put my silly little php script under https, that is a certificate I need too?
Then IE10 just doesn't work:
SCRIPT5: Access is denied. landing, line 64 character 421
So I am not sure what I need to do to get my code working again, having the user adjust the browser isn't feasible cause this is distributed enterprise wide, it was for a nag screen to let them know to change their password based on some ldap entry that the php file accesses with the ID passed from the website via ajax.
I was doing some googling but found nothing, most I found was the php handle to make the website I guess CORS compatible:
<?php
header('Access-Control-Allow-Origin: *');
Which I implemented originally as well. So not sure what to try or where to look next? It is a simple JSON string that comes back, can I try the preflight method as described here:
http://ppe.blogs.msdn.com/b/ie/archive/2012/02/09/cors-for-xhr-in-ie10.aspx
??? if i do I am not sure what the headers should look like.
I was going to post the firefox 23 response header but it never makes the request as it straight up blocks the loading mixed active content. So I guess I have two issues to contend with, one that the javascript lives on https and makes a call to http...this might be my only issue in firefox, not 100% sure if i would have cross site issues.
IE10 the network request header is never find and I am looking inside the F12 key pressed area in IE10, under network and I click start capturing before I load the page with the xhr call.
So I guess I am asking what changed in firefox23 and IE10 to not let my code work anymore?
Firefox 23+ will block what they call "active mixed content". That is: Content hosted at a non-secure (http) location that is requested from a secure webpage (https). "Active" in this context essentially means everything that is not a media type (not an image, audio or video resource). This is to prevent man-in-the-middle attacks that would use non-secure sub-requests to get into secure pages.
For more information see the Mixed Content article on MDN.
As the request is blocked before even hitting the network, there won't be any response headers/data.
Not sure about IE10, but their documentation seems to indicate they block such requests for the same reasons, saying:
Cross-domain, cross-port, and mixed protocol requests are not allowed.