CORS. Sending a request with https. Why does not it work?

S

Symbi0t2014-12-23 13:26:18

JavaScript

Symbi0t, 2014-12-23 13:26:18

Greetings.
The problem is this:
when you try to send a request to the address: site.com , the browser immediately responds:

Заблокирована загрузка смешанного активного содержимого «http://site.com»

I read about this problem, I found out that it is solved by cutting off the protocol, i.e.: you need to send it like this:
//site.com
But after that another problem appeared. When the request is sent from the http protocol, everything goes fine, but when sent from https, then the browser writes:

Запрос из постороннего источника заблокирован: Политика одного источника запрещает чтение удаленного ресурса на https://www.site.com. Это может быть исправлено путем перемещения ресурса в тот же домен или включением CORS.

Moving the resource to the same domain is not an option. And CORS is definitely enabled, headers are specified from the server:

header('Access-Control-Request-Method: *');
header('Access-Control-Allow-Origin: ' . $_SERVER['HTTP_ORIGIN']);
header('Content-Type: Application/json');

I do not understand why there is a problem when sending from the https protocol.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

E

egor_nullptr, 2014-12-23
@egor_nullptr

The Access-Control-Allow-Origin header should not be * in this case.
Example for PHP:

header('Access-Control-Allow-Origin: ' . $_SERVER['HTTP_ORIGIN']);

S

Symbi0t, 2015-01-20
@Symbi0t

Figured out the root of the problem. It turned out that sending a request from https to http is prohibited by the specification.