4

I have already working modal login dialog. The problem is that if the origin page is loaded via http I still want to pass credentials to server via https. And of course I want to do with as little rewriting of working code as it can be.

I cannot use JSONP for my case because login data is passed to server via POST AJAX request.

Any ideas?

DixonD
  • 6,094
  • 4
  • 28
  • 49

3 Answers3

2

The Same Origin Policy makes this impossible (at least in browsers which don't support cross domain XHR, which is enough).

(And since the host document is served over HTTP it is subject to interception and alteration on the wire, which would make the data vulnerable even if it was transported over SSL)

Quentin
  • 800,325
  • 104
  • 1,079
  • 1,205
0

Please note that according to Same-origin policy it should be not possible, as you're trying to post non-secured credentials to secured page. And if login landing page is not using SSL, then an attacker could modify the page as it is sent to the user and change the form submission location or insert JavaScript which steals the username/password as it is typed. So login landing page must use SSL.

To illustrate, the following table gives an overview of typical outcomes for checks against the URL "http://www.example.com/dir/page.html".

Compared URL                              Outcome   Reason
http://www.example.com/dir/page2.html     Success   Same protocol and host
http://www.example.com/dir2/other.html    Success   Same protocol and host
http://u:pass@www.example.com/x/o.html    Success   Same protocol and host
http://www.example.com:81/dir/other.html  Failure   Same protocol and host but different port
https://www.example.com/dir/other.html    Failure   Different protocol
http://en.example.com/dir/other.html      Failure   Different host
http://example.com/dir/other.html         Failure   Different host (exact match required)
http://v2.www.example.com/dir/other.html  Failure   Different host (exact match required)
http://www.example.com:80/dir/other.html  Depends   Port explicit. Depends on implementation in browser.

Unlike other browsers, Internet Explorer does not include the port in the calculation of the origin, using the Security Zone in its place.

How to relax the same-origin policy

In some circumstances the same-origin policy is too restrictive, posing problems for large websites that use multiple subdomains. Here are four techniques for relaxing it:

If you really what to do that, it is possible, but you need to make sure that your public key certificate of your website has been verified by certification authority therefore it is valid.

If it is not, you may try to add your certificate to the white list in your web browser. Or try with different web browsers.

Alternatevely you can make sure that users are always on a secure pages when being presented with the login form or disable modal form for login forms.

Other workaround include adding rewrite rule by forwarding the non-secured traffic into ssl, e.g.

# Various rewrite rules.
<IfModule mod_rewrite.c>
  RewriteEngine on
  # Force <front> to ssl for modal use of secure log in module.
  RewriteRule http://www.example.net/^$ https://www.example.net [R=301,L]

See also:

Community
  • 1
  • 1
kenorb
  • 118,428
  • 63
  • 588
  • 624
0

Just out of curiosity, why don't you force the user to a secure page to begin with? Why had a similar issue a while back, so now, we force the user to https (via redirect) as soon as they hit our page.

Dutchie432
  • 27,738
  • 20
  • 88
  • 109