PDA

View Full Version : Test loading from http server



alexander.urban
4 Jan 2017, 5:32 AM
I want to test in a fiddle to load information from a remote http server.

There is no direct possibility to load the same information from https, because the remote server does not support https.

I hacked the following into a fiddle:


Ext.application({
name : 'Fiddle',


launch : function() {
Ext.Ajax.request({
url:'http://myhttpserver/firmware/current/version',
method:'OPTION',
callback:function(request, success, response) {
console.log(response);
}
})
}
}); and I clicked "Run". The error is


Mixed Content: The page at 'https://fiddle.sencha.com/#view/editor' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://myhttpserver/firmware/current/version'. This request has been blocked; the content must be served over HTTPS.

This stackoverflow resource (http://stackoverflow.com/questions/30663615/jquery-load-https-url) tells me that I cannot get it to work using additional code, headers or something like that.

I did not find a way to load fiddle via http, I am always forwarded to a secure connection.

So, the only way to test this would be to abandon sencha fiddle and use a local testbed. Is this correct?

mitchellsimoens
4 Jan 2017, 5:36 AM
This is browser enforced and with HTTPS everywhere, browsers are going to start complaining when a source is insecure and SEO will likely follow suit.

Fiddle 2 does have a proxy route so if the server is accessible to the internet (no local hosts entry) then you can use https://fiddle.sencha.com/proxy/http://myhttpserver/firmware/current/version This is a simple proxy and AFAIK not a whole lot of usage but should use a nodejs proxy (so it uses the http module and sends a request to download the file). In a further iteration, nginx can use a reverse proxy to handle this outside of nodejs but needed to get something working for the time being. This proxy route is currently automatically used if you add a remote file that uses http not https.

alexander.urban
4 Jan 2017, 5:50 AM
Thank you for your insightful reply. The server is an intranet TFTP server used by appliances to download firmware updates, normally no browser access, no SEO.

Good to know about the availability of the proxy, thank you. Should we really implement version file parsing into our dashboard UI, we will keep in mind to add a similar proxy to our environment because of HTTPS everywhere.

mitchellsimoens
4 Jan 2017, 5:53 AM
Also keep in mind that services like Let's Encrypt (https://letsencrypt.org/) make it extremely easy to get a SSL cert these days. They expire in 90 days but setup a simple cron job to renew and you are good (and they are ok with the cron job renew).

It's also trivial to setup a reverse proxy locally using nginx or apache. I use apache locally as I'm on macOS and it's already there and have the SSL cert on it and my node servers are insecure for testing.

Bampf
20 Jan 2017, 6:55 AM
A workaround if you need a fiddle to GET data from an unencrypted service: you can temporarily tell your browser to allow mixed content (encrypted and unencrypted).

* With Firefox, click on the page's padlock icon and find the option to temporarily disable protection.
* With Chrome, you can run the Chrome executable with the command line argument: --allow-running-insecure-content
There have also been browser extensions for this.

Note that all these options have changed over time, and may not be supported in future. Disabling the protection is a temporary measure suitable only for short-term developer testing. Better solutions are the ones mentioned earlier.