Web Hosting Forum | Lunarpages

Author Topic: public SSL cert vs. insecure XMLHttpRequest endpoint (browser extension)  (Read 7661 times)

Offline texwaldo

  • Space Explorer
  • ***
  • Posts: 7
I am making a browser extension.  While a user is viewing another website, the extension requests data from my domain (which is currently non-secure).

Problem: I receive the following error when the other domain has Transport Layer Security  (a "Secure Socket Layer"):

Quote
Mixed Content: The page at 'https://www.otherdomain.com/home.php' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://subdomain.mydomain.com/php/request.php?ID=3'. This request has been blocked; the content must be served over HTTPS.

I have seen reference to "free public SSL certificates"  in Lunarforums (howdy, MrPhil).

Question: Is a "public" SSL certificate sufficient for my domain to maintain "secure" URLs?
(Does a "public" SSL certificate result in URLs with the "https" prefix, satisfying the requirement of a "secure endpoint" by the other domain?)

Offline MrPhil

  • Senior Moderator
  • Berserker Poster
  • *****
  • Posts: 6207
Re: public SSL cert vs. insecure XMLHttpRequest endpoint (browser extension)
« Reply #1 on: December 08, 2015, 05:04:15 PM »
As far as I know, a public SSL implementation should be considered just as secure as a private key of the same strength (e.g., 256 bits). Be sure to check what strength the public key is before you put in a lot of work! A typical public key might be considered too weak for handling financial information these days, simply because it was set up years ago when 128 or 256 bits was considered good.

A public key is referenced by https://<LP_server_name>/~<your_account_name>/... I've never tried it, but it might be possible to refer to your subdomain via its subdirectory name under the root. It costs nothing, so you could give it a try and see what happens. I can't swear that some browsers might not pop up a warning that you have content being loaded from two different SSL-protected domains, but you'll just have to see.
Visit My Site

E-mail Me
  
-= From the ashes shall rise a sooty tern =-

Offline texwaldo

  • Space Explorer
  • ***
  • Posts: 7
Re: public SSL cert vs. insecure XMLHttpRequest endpoint (browser extension)
« Reply #2 on: December 19, 2015, 04:33:47 AM »
I appreciate you making time to reply, MrPhil. Was distracted by local drama (nothing interesting), and am just seeing your msg today for first time.
Looking into public SSL now.

 

Share |