JavaScript / Greasemonkey: preventing FireFox security warning when submitting form from secure page
I am writing a Greasemonkey script to connect two internal web pages. One is SSL and the other is insecure and only accessible through a POST request. If I create a hidden form on a secure page and submit it via onclick()
in <a>
, it works fine, but FF gives a warning:
Although this page is encrypted, the information you entered must be sent over an unencrypted connection and can be easily read by a third party.
Are you sure you want to continue sending this information? "
An unsecured page cannot be accessed over SSL, and another cannot be accessed without it, and I cannot change server = \. Is there a way to avoid this warning by doing some kind of JavaScript / Greasemonkey redirects magic? Thank!
EDIT. The alert cannot be turned off (for pretty good reasons, as it is difficult to determine if what you are about to send is safe otherwise). I'm mainly wondering if there is a way to POST in JavaScript without looking like you are submitting a form.
This can be done by executing GM_xmlhttpRequest. eg.
GM_xmlhttpRequest({
method: 'POST',
url: 'http://your.insecure.site.here',
onload: function(details) {
// look in the JavaScript console
GM_log(details.responseText);
/* This function will be called when the page (url)
has been loaded. Do whatever you need to do with the remote page here.*/
}
});
API / more info here: GM_xmlhttpRequest wiki
source to share
I appreciate that this answer won't be very helpful for the original poster. They seem to have a good understanding of the security situation that this warning covers. I post anyway because I've seen many calls for this warning message to be completely suppressed with little understanding of the implications. This is also a little off topic from the original post-programming context, but from other answers that seem to think this warning message is not very helpful, I think it is important that people understand the reasoning and security situation behind decisions not to allow this warning to be suppressed under any circumstances.
In the specific case of the original message, it may well be appropriate to ignore the error message , provided the information that is POSTED is insensitive. Otherwise, the privacy of the POST data is clearly unacceptable, and Mozilla users are correct in insisting that this particular message can never be disabled under any circumstances.
Otherwise, people could create horribly bad forms that would LET your credit card details or other sensitive information appear on the insecure Internet without warning. Since this sensitive information travels over the Internet, it almost certainly travels through networks controlled by people with whom you would not want to share this sensitive information. Hence the warning. Remove it, or let it be always ignored, and you compromise the reliability of SSL, TLS, and HTTPS that people used to rely on for e-commerce, etc.
If you doubt that people will be incompetent enough to create such forms, I bought a site that does just that less than an hour ago. At least Firefox warned me about this and I could pass the problem on to the site owner.
Let it be very clear here. The problem lies with the site owners, NOT the Firefox or Mozilla development team. As I said, it is sometimes wise to send POST data to a mailbox from a secure site, but it is impossible to tell when this happens without human intervention. This is why this message cannot be suppressed through general policy and should not be.
It might be advisable to add a specific exception to a specific form identified by a URI, as the user can identify that all information in the form is insensitive, provided that the information entered into the form does not change, however AFAIK the Mozilla team did not.
I noticed that many people confuse this warning message with the mixed HTTP and HTTPS content warning, which is a very different situation, but unfortunately a very similar warning message is presented. In this situation, some content on the page is protected by HTTPS and some is not. This is not a problem for casual web surfing, and it is okay, for example, to protect content with unprotected ads in it, like the MSDN example mentioned in the answers.
But HTTPS not only protects the privacy of web pages, but also protects the integrity by providing reassurance that no one has changed data in transit. Therefore, if you need reassurance that ALL the web pages you are viewing are not interfering, you need this stronger guarantee and should not disable the mixed content warning, at least for your sensitive pages.
source to share
This is a browser configuration setting that cannot (or should not) be changed for Javascript.
If only the script is to be used by more than one user, Tools -> Options -> Security. You can click on the settings to display which warning messages are displayed. Please note that this currently affects all sites, not just your internal system.
source to share