Https page makes Http request using CORS
Reading the CORS specification , it states [abridged]:
... that user agents are allowed to complete the algorithm rather than request it. This can be done, for example, for example:
...
- https to http is not allowed.
...
This is similar to the behavior in Chrome, however I have not found any reference to this behavior in the documentation of the various browser vendors.
For performance reasons, we want to make an http request from an https page for specific content. This is a completely different domain request with the correct CORS headers to make HTTP requests (which work fine http-> http).
Are there headers that can be configured so that https -> http? It seems reasonable to disallow mixed mode on one domain / subdomains, but cross-domain seems to be more protective, especially if the other domain usually allows http.
I imagine a preflight check 'or' simple request 'if it didn't have HSTS or similar.
source to share
No one has answered this question yet
Check out similar questions: