HTTP Ajax Request via HTTPS Page

allow http request from https
allow http content on https page
javascript http request json
http get request example
this request has been blocked; the content must be served over https.
cross domain ajax request with json response
jquery ajax post https ssl
javascript send post request json

I am having a site with some pages on HTTPS connection. From these HTTPS pages, I have to use a HTTP Ajax request for some errors retrieval like blank fields. But this error messages are not coming. Is there any solution to it or I have to make that AJAX request to file on HTTPS connection?

This is not possible due to the Same Origin Policy.

You will need to switch the Ajax requests to https, too.

How to handle cross-protocol, cross-domain issues when fetching , By padding the JSON call to be served in a script format (jsonp), you can get you're on a https page, attempting to call an unsecure http resource. console.​log('Not using Cordova, fallback to AJAX via jquery'); $.ajax({ url:  Ajax is a technology that allows developers to make asynchronous HTTP requests without the need for a full page refresh. To make the process less cumbersome than it would be in pure JavaScript,

Without any server side solution, Theres is only one way in which a secure page can get something from a insecure page/request and that's thought postMessage and a popup

I said popup cuz the site isn't allowed to mix content. But a popup isn't really mixing. It has it's own window but are still able to communicate with the opener with postMessage.

So you can open a new http-page with and have that making the request for you (that is if the site is using CORS as well)

XDomain came to mind when i wrote this but here is a modern approach using the new fetch api, the advantage is the streaming of large files, the downside is that it won't work in all browser

You put this proxy script on any http page

onmessage = evt => {
  const port = evt.ports[0]

  fetch( => {
    // the response is not clonable
    // so we make a new plain object
    const obj = {
      bodyUsed: false,
      headers: [...res.headers],
      ok: res.ok,
      redirected: res.redurected,
      status: res.status,
      statusText: res.statusText,
      type: res.type,
      url: res.url


    // Pipe the request to the port (MessageChannel)
    const reader = res.body.getReader()
    const pump = () =>
    .then(({value, done}) => done 
      ? port.postMessage(done)
      : (port.postMessage(value), pump())

    // start the pipe

Then you open a popup window in your https page (note that you can only do this on a user interaction event or else it will be blocked)

window.popup =

create your utility function

function xfetch(...args) {
  // tell the proxy to make the request
  const ms = new MessageChannel
  popup.postMessage(args, '*', [ms.port1])

  // Resolves when the headers comes
  return new Promise((rs, rj) => {

    // First message will resolve the Response Object
    ms.port2.onmessage = ({data}) => {
      const stream = new ReadableStream({
        start(controller) {

          // Change the onmessage to pipe the remaning request
          ms.port2.onmessage = evt => {
            if ( === true) // Done?
            else // enqueue the buffer to the stream

      // Construct a new response with the 
      // response headers and a stream
      rs(new Response(stream, data))

And make the request like you normally do with the fetch api

  .then(res => res.text())

Here are the most popular ways to make an HTTP request in , Ajax is the traditional way to make an asynchronous HTTP request. const url='​';"GET", In short, Forge will enable you to make XmlHttpRequests from a web page loaded over http to an https site. You will need to provide a Flash cross-domain policy file via your server to enable the cross-domain requests.

Still, this can be done with the following steps:

  1. send an https ajax request to your web-site (the same domain)

        'url'      : '//',
        'type'     : 'get',
        'data'     : {'foo' : 'bar'},
        'success'  : function(response) {
            console.log('Successful request');
    }).fail(function(xhr, err) {
        console.error('Request error');
  2. get ajax request, for example, by php, and make a CURL get request to any desired website via http.

    use linslin\yii2\curl;
    $curl = new curl\Curl();

AJAX Cross Domain | Cross-Origin Request, Learn how to make cross-domain AJAX requests. do not permit a web page to access resources who origin differ than that of the current page. as HTTP Cookies, HTTP Authentication and client-side SSL certificates). As we know that ajax works with the http and https, what you should do is that when you use the http the url attribute will be http protocol, when you use the https, url will be https protocol. Similar issues, please check it below.

In some cases a one-way request without a response can be fired to a TCP server, without a SSL certificate. A TCP server, in contrast to a HTTP server, will catch you request. However there will be no access to any data sent from the browser, because the browser will not send any data without a positive certificate check. And in special cases even a bare TCP signal without any data is enough to execute some tasks. For example for an IoT device within a LAN to start a connection to an external service. Link

This is a kind of a "Wake Up" trigger, that works on a port without any security.

In case a response is needed, this can be implemented using a secured public https server, which can send the needed data back to the browser using e.g. Websockets.

HTTPS site perform ajax calls to native http desktop aplication , This means that an HTTPS page calling over http is NOT blocked by Mixed Content. Tested in Edge, Chrome and Firefox. Unfortunatly, Microsoft team​  jQuery ajax() Method The jQuery ajax() method provides core functionality of Ajax in jQuery. It sends asynchronous HTTP requests to the server.

From the javascript I tried from several ways and I could not.

You need an server side solution, for example on c# I did create an controller that call to the http, en deserialize the object, and the result is that when I call from javascript, I'm doing an request from my https://domain to my htpps://domain. Please see my c# code:

public class CurrencyServicesController : Controller
    HttpClient client;
    //GET: CurrencyServices/Consultar?url=valores?moedas=USD&alt=json
    public async Task<dynamic> Consultar(string url)
        client = new HttpClient();
        client.BaseAddress = new Uri("");
        client.DefaultRequestHeaders.Accept.Add(new System.Net.Http.Headers.MediaTypeWithQualityHeaderValue("application/json"));
        System.Net.Http.HttpResponseMessage response = client.GetAsync(url).Result;

        var FromURL = response.Content.ReadAsStringAsync().Result;

        return JsonConvert.DeserializeObject(FromURL);

And let me show to you my client side (Javascript)

<script async>
$(document).ready(function (data) {

    var TheUrl = '@Url.Action("Consultar", "CurrencyServices")?url=valores';
        .done(function (data) {
                '$ ' + data.valores.USD.valor.toFixed(2) + ','
                '€ ' + data.valores.EUR.valor.toFixed(2) + ','

                'Ar$ ' + data.valores.ARS.valor.toFixed(2) + ''



I wish that this help you! Greetings

Wrap HTTP content into HTTPS in Ajax request from Codepen , append(data["value"]["joke"]); }, xhrFields: { withCredentials: false } }); };. And you have other resources in your pen accessed via HTTPS, you get a  Send a Request To a Server To send a request to a server, we use the open() and send() methods of the XMLHttpRequest object:"GET", "ajax_info.txt", true);

HTTPS request via AJAX from HTTP (HTML) page, Hello All , I have Login.html page which has Loging ID and Passowrd Field and Submit button. Onclick of subkit button i am calling .asmx web  You cannot. Its the basic implicit security in browsers which doesn't allow you to call a insecure link (http) from https page. For example:, Google Chrome will give you following error: Mixed Content: The page at '' was loaded over HTTPS, but requested an insecure resource ''.

Wrapping HTTP content into HTTPS via Ajax request in Codepen , Wrapping HTTP content into HTTPS via Ajax request in Codepen. Hello, Mixed Content: The page at '<  AJAX - Send a Request To a Server To send a request to a server, we use the open() and send() methods of the XMLHttpRequest object: Adds HTTP headers to the

Making HTTP/Web Requests in JavaScript, The server will respond with the data and have your page update with that Knowing how to Ajax it up and make HTTP requests is a very important skill, and this fetch("") .then(function (response) { return response.​json(); } but if you bring up the Console via your browser developer tools, you should  As a result, any web application using AJAX can send and retrieve data from the server without the need to reload the entire page. Practical Examples of AJAX. Think of the Google Autocomplete feature. It helps you complete your keywords while you are typing them. The keywords change in real time yet the page remains the same.

  • ajax should run fine on https, can you post your actual code snippet?
  • Sounds like SOP ( the schemas are different, so it is a different origin.
  • Thanks for the answer. I have changed my website accordingly.
  • Even the working draft of Cross-Origin Resource Sharing makes it impossible:
  • Thanks for the answer everyone. I have changed my website according to same origin policy.
  • @NickSotiros Why would you not want it secure? There's zero downside, and HTTP requests on an HTTPS page could potentially be attacked by a MITM to inject malicious JS.
  • @ceejayoz Well if you download a js script and execute it you could be attacked by a MITM. But if you just want to use someone else's background image in your css or download a youtube video, you can't. Why does the browser assume that content loaded via an ajax request is going to be javascript to execute? There is the site which allows you to generate online presentations with online content pulled in from external resources, they must be using proxies.
  • @NickSotiros actually someones css can hook to inputs and send all data entered in those inputs to a bad server.
  • Nice, created a module cors-bypass that does this seamlessly.
  • Why open a new window? Couldn't you put the request in an iframe?
  • @Chiwda no, because you are mixing secure with insecure content then, using a popup isn't mixing
  • I finally did this in a very simple way: w ="",'_blank', 'toolbar=no,titlebar=no,status=no,menubar=no,scrollbars=no,resizable=no,left=12000, top=12000,width=10,height=10,visible=none', ''); w.location.href = MyURI; setTimeout(function() { w.close(); }, 6000)
  • This concept worked perfect (using code relevant to my setup/project). I created a php file on my server and did a curl request on an HTTP Url. I called this file from my HTTPS website and sent in the variable I needed for the API and voila!
  • I only know may endpoint, how to use this method to my website. My website is https and API is
  • The downside is if you have many concurrent requests to your page, then you could saturate your server.