Access restriction of WEB API service call based on request

Question

0.00/5 (No votes)

See more:

C#

When we access the WEB API service methods from a web application through Ajax calls, will there be any access restrictions for the following scenarios

"HTTPS" Web application accessing an "HTTP" WEB-API
 
"HTTP" Web application accessing an "HTTPS" WEB-API

Will there be any impact on request application or context, either it Http or Https the web API will behave same.

Please advice.

What I have tried:

Access a cross domain web service from a web application using ajax call.

Authentication is denied even after specifying the cross domain feature enabled.

One of my friend suggested there may be issue while accessing a SSL secured Https service from an normal HTTP application.

Posted 19-Apr-16 7:46am

Bhuvanesh Mohankumar

Updated 19-Apr-16 8:05am

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Richard Deeming · Answer 1 · 2016-04-19T08:05:00

Solution 1

A page served over HTTPS should not be able to access an API served over HTTP, as this would not be secure.

A page served over HTTP will be able to access an API served over HTTPS.

However, this is unlikely to be the problem. It sounds like you're trying to access an API which does not send the Access-Control-Allow-Origin header, and is therefore not available from script running on your page.

If you don't control the site hosting the remote API, your only option is to create a proxy API on your own site which makes the API request from your server. How you do that will depend on what server-side technology you're using.

Posted 19-Apr-16 8:05am

Richard Deeming

Comments

[no name] 19-Apr-16 14:09pm

Hi Richard,

Yes I understood your point. I was also had same solution to create a proxy service which will be a middle layer between actual service and application.

Is this the only solution or we have any other option to make direct call from application to service?

Thanks.

Richard Deeming 19-Apr-16 14:13pm

If the remote server doesn't return an appropriate Access-Control-Allow-Origin header, and doesn't provide a JSONP[^] option, then a proxy script is the only solution.

[no name] 19-Apr-16 14:20pm

Thanks Richard, let me try and update you.