Https page doing Http request using CORS -
reading cors spec states [abridged]:
... user agents allowed terminate algorithm , not make request. done because e.g.:
...
- https http not allowed.
...
this appears behavior in chrome, have not found reference behavior on various browser vendors documentation.
for performance reasons wish make http request https page content. request different domain entirely correct cors headers http requests (which work ok http->http).
are there headers can set allow https -> http? seems sensible disallow mixed-mode on single domain / sub-domains, cross-domain seems on protective, if other domain allows http normally.
i'm imagining 'preflight check' or 'simple request' allowed if didn't have hsts headers or alike.
Comments
Post a Comment