Chrome now blocking all jsonp requests from https to http?

security google-chrome https jsonp securitydomain
27,710

Solution 1

It definitely should block it - it's insecure and breaks the promise of HTTPS.

A JSONP resource fetch is done by creating a <script> resource pointing at the target. That means the target server can run any JavaScript it likes on the including page, and hence any man-in-the-middle can inject arbitrary script into a supposedly-HTTPS-protected page (eg adding a keylogger, or completely replacing the page content). An HTTPS page with a <script> coming from HTTP is no more secure than a plain HTTP page.

You will need to provide an HTTPS version of your data feed, if you want HTTPS pages to be able to access it. Otherwise browsers should, at the very least, produce warnings. Chrome now defaulting to block doesn't change the nature of the problem, it's just giving you the extra push you need to fix it properly.

Solution 2

<script src="//domain.com/script.js"></script> solves the problem if remote server allows HTTPS... // will automatically set protocol to https if site is accessed by https.

Share:
27,710
Andy C
Author by

Andy C

Updated on February 01, 2020

Comments

  • Andy C
    Andy C over 4 years

    At some point recently Chrome has stopped showing data loaded via jsonp with the error

    [blocked] The page at https://user.example.com/category/12345 ran insecure content from http://livedata.example.com/Data.svc/jsonp/GetData?category=12345&callback=_jsp&_1346417951424=.

    It still works fine on all other browsers, and has been confirmed on several different computers running Chrome.

    The only mention I've seen of this problem before is when the page was served from one of Google's own domains (a security feature for Google Apps I guess?), is this something that has been enabled on all domains now in a recent version of Chrome?

    Ideally we don't want to have to enable https on our livedata subdomain because of the extra server load it would cause, the data is all publicly available so there's no pressing need to encrypt it.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

"Cannot connect to the real Gmail.com"
Why do some websites show the company name next to the URL?
Force Chrome to Ignore a "weak ephemeral Diffie-Hellman public key”
Why does Chrome hate self-signed certificates so much?
Avoiding NavigatorUserMediaError "Only secure origins are allowed" on HTTP in Chrome
Mixed content in Chrome and IE
Comodo SSL: ERR_CERT_AUTHORITY_INVALID on Chrome mobile and Opera mobile (Android)
Change Browser settings by script
Is there such a thing as the "Tamper Data firefox plugin" for chrome?
window.opener.document.getElementById("parentId1").value = myvalue not working