开发者

ASP.NET/jQuery: Reading jQuery file over HTTPS causing Access is Denied

开发者 https://www.devze.com 2023-01-25 07:17 出处:网络
We have a site that is public facing, let\'s say it\'s http://www.example.com. When the SSL is implement开发者_如何学JAVAed, https://www.example.com, I can no longer access the jQuery 1.4.3 file on my

We have a site that is public facing, let's say it's http://www.example.com. When the SSL is implement开发者_如何学JAVAed, https://www.example.com, I can no longer access the jQuery 1.4.3 file on my own server. Furthermore, after a tweak to the security setting, I was able to get past the 'Access is Denied' error, but the first call was null.

I understand there is a problem with different protocols actually being within the scope of the cross-domain problem? Is that true? And if so, will this now require JSONP?

 <script type="text/javascript" src="<%= ResolveUrl("~/js/jquery-1.4.2.min.js") %>"></script>
     <script type="text/javascript" src="<%= ResolveUrl("~/js/jquery.jstree.min.js") %>"></script>
     <script type="text/javascript" src="<%= ResolveUrl("~/js/jquery.dataTables.min.js") %>"></script>
     <script type="text/javascript" src="<%= ResolveUrl("~/js/jquery.cookie.min.js") %>"></script>


In an HTTPS site, you should try to load all resources, including script files, from HTTPS URLs.

If you load a single Javascript file (or JSONP API) from a non-HTTPS URL, you've defeated the purpose of HTTPS, since an attacker can intercept that file and inject a Javascript password-stealer or session hijacker.

Also note that you cannot send AJAX requests from HTTPS URLs to non-HTTPS URLs or vice-versa.


Different protocols are treated as different servers, quite correctly.

If the same file is available at the same path on each server, you can use a protocol-relative URL:

<script src="//www.example.com/js/jquery.1.4.3.min.js"></script>
0

精彩评论

暂无评论...
验证码 换一张
取 消