Can javascript (ajax) send an asynchronous https post request?

milesdriven · 11-01-2012, 08:51 PM

Hello,

I'm writing a customer registration page that will use https. For each text entry field, I want to use one javascript function to asynchronously and securely send a https post request (onBlur, onChange, or whatever event works) to a server side php script that passes that field's value to a php script that puts it through a regex to make sure the data is formatted correctly.

That means each js function posts it's data to one php script that contains one regex. So 5 fields would need a total of 5 functions, which would post to a total of 5 php scripts. I know I can't use a regex for every field, because some fields (like name and address) are unpredictable.

Other fields, like state and zip, can be filtered through a regex. My question is, can javascript send a post request to an https url securely? Can I place a https url in the open method of the XMLHttpRequest Object?

Can I just put the https url in the area highlighted in red in the code below? Do I need a separate https url for each function? If so, do I need a separate public key for each https url?

The code below is just an example of a working js function. I highlighted the line that contains the open method in red.

Thank you for your help. The example code with the open method highlighted in red is below:

Code:

function clickToCancel(ClickToCan, UserId, Schd_Can, NotAvail, Available, ClickToSch, AM)
{
    var apt_time_can = encodeURIComponent(document.getElementById(ClickToCan).value);
    var userid = encodeURIComponent(document.getElementById(UserId).value);
    var parameters = "apt_time="+apt_time_can+"&user_id="+userid

    chAptsOnload_8AM.open("POST", "/cgi-bin/click_to_cancel.php", true);
    chAptsOnload_8AM.onreadystatechange = function()
    {
       if(chAptsOnload_8AM.readyState == 4)
       {
          if(chAptsOnload_8AM.status == 200)
          {
                  var SchdCan = document.getElementById(Schd_Can);
                  var NtAvail = document.getElementById(NotAvail);
                  var Avail = document.getElementById(Available);

                        SchdCan.innerHTML = ''; 
                        NtAvail.innerHTML = ''; 
                        Avail.innerHTML = 'Available <button id="'+ClickToSch+'"  '+'    name = "apt_time"  value = "'+AM+'"'+'   onClick=\"clickToSchedule(\''+AM+'\','+'\''+UserId+'\','+'\''+Schd_Can+'\','+'\''+NotAvail+'\','+'\''+Available+'\','+'\''+ClickToCan+'\','+'\''+ClickToSch+'\''+'); return false">Click Here To Schedule</button>';
              
          }  //Closing if(chAptsOnload_8AM.status == 200)
          
       }  //Closing if(chAptsOnload_8AM.readyState==4)
    }  //Closing onreadystatechange function 
    chAptsOnload_8AM.setRequestHeader("Content-type","application/x-www-form-urlencoded");
    chAptsOnload_8AM.send(parameters);
}

WolfShade · 11-01-2012, 08:58 PM

I think there is a cross-domain security policy that comes into play. Basically, JavaScript sees https://www.domain.com as different from http://www.domain.com.

milesdriven · 11-01-2012, 09:03 PM

Quote:

Originally Posted by WolfShade

Basically, JavaScript sees https://www.domain.com as different from http://www.domain.com.

The registration page itself would use https, and each js function I described would have an https url in it's open method. No http protocol would be used.

Do you know if js would work this way?

Thank you

WolfShade · 11-01-2012, 09:10 PM

AFAIK, if they are both SSL, it should work. You shouldn't have to do anything else when building your XHR, or in the .post() if using jQuery.

milesdriven · 11-01-2012, 09:20 PM

Thank you

rnd me · 11-02-2012, 12:16 AM

if you need to post across domains or protocols, you can simply emit Access-Control-Allow-Origin headers on the catching server to avoid same-origin-policy restrictions.

milesdriven · 11-02-2012, 01:15 AM

Hi rnd me,

Thanks for that information. Your reply helped me find some very interesting reading. For the asynchronous js functions, I'm going to write the open method like this:

Code:

request.open("POST", "https://this.domain.com/cgi-bin/this_file_will_be_different_for_each_js_function.php", true);

I think I answered my own question about the public key/ ssl certificate. If I always use this domain (in red) in the open method of each js function:

Code:

https://this.domain.com/cgi-bin/(add file here per js function)

... then the same public key and therefore the same certificate can be used for each asynchronous request.

If I ever need to post across different protocols or domains, I know what to do. Very interesting stuff.

Thank you