0

Can a jsonp request from a user on an http page (made by the browser) to an https server be considered secure?

For example:

The user is on:

http://www.example.net

On that page there's a form that, on submit, is sends a jsonp request to:

https://secureapi.net

Can the information on the submit form be read as if the api server is on http?

Improve this question
5
  • I believe you can only do this if you are making the request on the same domain. Otherwise, it wont work. Commented Feb 17, 2012 at 16:56
  • @bsimic — Getting around the same origin policy is the point of JSONP. Commented Feb 17, 2012 at 17:00
  • @Quentin -- Yes, but I don't think it's meant for HTTPS. Commented Feb 17, 2012 at 21:58
  • 1
    @bsimic — SSL and the Same Origin Policy are defences against completely different types of attack. Nothing about SSL would prevent JSONP from working. Commented Feb 17, 2012 at 22:56
  • @Quentin is right graph.facebook.com/cocacola can be accessed from an http page. Commented Feb 18, 2012 at 8:45

2 Answers 2

Reset to default
2

No. While the data can't be sniffed in-flight, the HTTP page triggering the request is vulnerable to alteration by man-in-the-middle attacks. JS could be injected which can then leak the data retrieved via HTTPS.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

ys it is secure provided U send encrypted data to other page and decrypt the info on another page

Improve this answer

1 Comment

I've having trouble understanding that sentence, but I'm pretty certain that its incorrect.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.