Individual XmlHttpRequest requests over HTTPS??

Discussion in 'Javascript' started by bizt, May 29, 2008.

  1. bizt

    bizt Guest

    Hi,

    I have a page that makes many XmlHttpRequest requests from a single
    page. This works fine but I need some requests to be made over a
    secure connection. To my understanding, when setting the location of
    the path to the file to fetch during the XmlHttpRequest request it has
    to the be the path relative to the web page such as /secret.php and
    NOT a full URL such as https://www.example.com/secret.php .. is this
    about the general idea?? Would I be correct in saying that the only
    way I can made secure requests by making the whole page HTTPS?? The
    only problem for me with this is that every transfer form the server
    (images, non-private data, etc) would have to be over HTTPS which puts
    some excess strain at the backend when onl a small portion of data
    needs to be protected.

    Can anyone make any suggestions that might help me solve this issue?
    Thanks

    Burnsy
     
    bizt, May 29, 2008
    #1
    1. Advertisements

  2. bizt

    Henry Guest

    No, the URL used with XML HTTP request objects may be absolute or
    relative.
    Yes, but not any reason related to the form of the URL, but rather
    because a page originating from one domain may not make XML HTTP
    requests to another domain (and http: and https: domains cannot be the
    same domain).
    Yes, there is an overhead in HTTPS.
    It is going to be important to encourage the client-side caching of
    everything that can be (safely) cached, such as images and JS files.
    Over an HTTPS connection the browser is very likely to default to
    considering everything it receives as 'private' (and so non-cacheable
    (which makes sense if a secure protocol is in use)) unless it receives
    HTTP headers that positively assert otherwise.
     
    Henry, May 29, 2008
    #2
    1. Advertisements

  3. However, since XHR does not allow accessing another domain from within the
    sandbox, the set of reasonable uses of (absolute) URIs (in contrast to
    relative URI-references, commonly called "relative URIs") there is rather
    limited.
    http: and https: domains can be the same domain, of course. However, the
    Same Origin Policy considers them to be of different origin even if the
    domain is the same, because at least the URI scheme (and so supposedly, here
    actually, the transfer protocol) is not.


    PointedEars
     
    Thomas 'PointedEars' Lahn, May 30, 2008
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.