Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 7 of 7
  1. #1
    Regular Coder
    Join Date
    Dec 2011
    Posts
    186
    Thanks
    0
    Thanked 1 Time in 1 Post

    Can javascript (ajax) send an asynchronous https post request?

    Hello,

    I'm writing a customer registration page that will use https. For each text entry field, I want to use one javascript function to asynchronously and securely send a https post request (onBlur, onChange, or whatever event works) to a server side php script that passes that field's value to a php script that puts it through a regex to make sure the data is formatted correctly.

    That means each js function posts it's data to one php script that contains one regex. So 5 fields would need a total of 5 functions, which would post to a total of 5 php scripts. I know I can't use a regex for every field, because some fields (like name and address) are unpredictable.

    Other fields, like state and zip, can be filtered through a regex. My question is, can javascript send a post request to an https url securely? Can I place a https url in the open method of the XMLHttpRequest Object?

    Can I just put the https url in the area highlighted in red in the code below? Do I need a separate https url for each function? If so, do I need a separate public key for each https url?

    The code below is just an example of a working js function. I highlighted the line that contains the open method in red.

    Thank you for your help. The example code with the open method highlighted in red is below:


    Code:
    function clickToCancel(ClickToCan, UserId, Schd_Can, NotAvail, Available, ClickToSch, AM)
    {
        var apt_time_can = encodeURIComponent(document.getElementById(ClickToCan).value);
        var userid = encodeURIComponent(document.getElementById(UserId).value);
        var parameters = "apt_time="+apt_time_can+"&user_id="+userid
    
        chAptsOnload_8AM.open("POST", "/cgi-bin/click_to_cancel.php", true);
        chAptsOnload_8AM.onreadystatechange = function()
        {
           if(chAptsOnload_8AM.readyState == 4)
           {
              if(chAptsOnload_8AM.status == 200)
              {
                      var SchdCan = document.getElementById(Schd_Can);
                      var NtAvail = document.getElementById(NotAvail);
                      var Avail = document.getElementById(Available);
    
                            SchdCan.innerHTML = ''; 
                            NtAvail.innerHTML = ''; 
                            Avail.innerHTML = 'Available <button id="'+ClickToSch+'"  '+'    name = "apt_time"  value = "'+AM+'"'+'   onClick=\"clickToSchedule(\''+AM+'\','+'\''+UserId+'\','+'\''+Schd_Can+'\','+'\''+NotAvail+'\','+'\''+Available+'\','+'\''+ClickToCan+'\','+'\''+ClickToSch+'\''+'); return false">Click Here To Schedule</button>';
                  
              }  //Closing if(chAptsOnload_8AM.status == 200)
              
           }  //Closing if(chAptsOnload_8AM.readyState==4)
        }  //Closing onreadystatechange function 
        chAptsOnload_8AM.setRequestHeader("Content-type","application/x-www-form-urlencoded");
        chAptsOnload_8AM.send(parameters);
    }

  • #2
    Regular Coder
    Join Date
    Apr 2012
    Location
    St. Louis, MO
    Posts
    985
    Thanks
    7
    Thanked 101 Times in 101 Posts
    I think there is a cross-domain security policy that comes into play. Basically, JavaScript sees https://www.domain.com as different from http://www.domain.com.
    ^_^

    If anyone knows of a website that can offer ColdFusion help that isn't controlled by neurotic, pedantic jerks* (stackoverflow.com), please PM me with a link.
    *
    The neurotic, pedantic jerks are not the owners; just the people who are in control of the "popularity contest".

  • #3
    Regular Coder
    Join Date
    Dec 2011
    Posts
    186
    Thanks
    0
    Thanked 1 Time in 1 Post
    Quote Originally Posted by WolfShade View Post
    Basically, JavaScript sees https://www.domain.com as different from http://www.domain.com.
    The registration page itself would use https, and each js function I described would have an https url in it's open method. No http protocol would be used.

    Do you know if js would work this way?

    Thank you

  • #4
    Regular Coder
    Join Date
    Apr 2012
    Location
    St. Louis, MO
    Posts
    985
    Thanks
    7
    Thanked 101 Times in 101 Posts
    AFAIK, if they are both SSL, it should work. You shouldn't have to do anything else when building your XHR, or in the .post() if using jQuery.
    ^_^

    If anyone knows of a website that can offer ColdFusion help that isn't controlled by neurotic, pedantic jerks* (stackoverflow.com), please PM me with a link.
    *
    The neurotic, pedantic jerks are not the owners; just the people who are in control of the "popularity contest".

  • #5
    Regular Coder
    Join Date
    Dec 2011
    Posts
    186
    Thanks
    0
    Thanked 1 Time in 1 Post
    Thank you

  • #6
    Senior Coder rnd me's Avatar
    Join Date
    Jun 2007
    Location
    Urbana
    Posts
    4,378
    Thanks
    11
    Thanked 592 Times in 572 Posts
    if you need to post across domains or protocols, you can simply emit Access-Control-Allow-Origin headers on the catching server to avoid same-origin-policy restrictions.
    my site (updated 13/9/26)
    BROWSER STATS [% share] (2014/9/03) IE7:0.1, IE8:4.6, IE11:9.1, IE9:3.1, IE10:3.0, FF:17.2, CH:46, SF:11.4, NON-MOUSE:38%

  • #7
    Regular Coder
    Join Date
    Dec 2011
    Posts
    186
    Thanks
    0
    Thanked 1 Time in 1 Post
    Hi rnd me,

    Thanks for that information. Your reply helped me find some very interesting reading. For the asynchronous js functions, I'm going to write the open method like this:
    Code:
    request.open("POST", "https://this.domain.com/cgi-bin/this_file_will_be_different_for_each_js_function.php", true);
    I think I answered my own question about the public key/ ssl certificate. If I always use this domain (in red) in the open method of each js function:
    Code:
    https://this.domain.com/cgi-bin/(add file here per js function)
    ... then the same public key and therefore the same certificate can be used for each asynchronous request.

    If I ever need to post across different protocols or domains, I know what to do. Very interesting stuff.

    Thank you
    Last edited by milesdriven; 11-02-2012 at 01:17 AM.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •