Problem with script and SSL

[Igor]

Hello, I have a little problem here and do not know how to solve.

I have the following script:

// *** Inicio CEP Automatico *** //function getEndereco() {if(jQuery.trim(jQuery("#cep").val()) != ""){jQuery.getScript("http://cep.republicavirtual.com.br/web_cep.php?formato=javascript&cep="+jQuery("#cep").val(), function(){if(resultadoCEP["resultado"]){jQuery("#rua").val(unescape(resultadoCEP["tipo_logradouro"])+" "+unescape(resultadoCEP["logradouro"]));jQuery("#bairro").val(unescape(resultadoCEP["bairro"]));jQuery("#cidade").val(unescape(resultadoCEP["cidade"]));jQuery("#estado").val(unescape(resultadoCEP["uf"]));}else{alert("Endereço não encontrado!");}});}}

What is happening is that the page which will use the script, possess installed SSL, then the script is not being loaded with the page to be considered unsafe (because it not contains the https link).

I was told that you can modify the form of consultation to work with SSL. Is there any alternative to solve this?

 

[dsonesuk]

UsejQuery.getScript("//cep.republicavirtual.com.br/web_cep.php?formato=javascript&cep="+jQuery("#cep").val()Instead ofjQuery.getScript("http://cep.republicavirtual.com.br/web_cep.php?formato=javascript&cep="+jQuery("#cep").val()

Edited November 3, 2015 by dsonesuk

[Igor]

UsejQuery.getScript("//cep.republicavirtual.com.br/web_cep.php?formato=javascript&cep="+jQuery("#cep").val()Instead ofjQuery.getScript("http://cep.republicavirtual.com.br/web_cep.php?formato=javascript&cep="+jQuery("#cep").val()

 

Hi,

 

Thanks for the answer, unfortunately did not work for me, had already trying it before.

 

Some other solution?

 

A colleague of mine told me the following:

A workaround is to create a proxy on your side.

Your ajax requests your location server-side script, and the server-side that really catches the api republicavirtual.

or

Creates a get-cep.php file, where it receives a parameter via get (the CEP in this case).

With this file, you can call the republicavirtual using the CURL library, for example.

I just do not know how to do, then do not help much ..

Edited November 3, 2015 by Igor

[davej]

Why don't you simply download jQuery and put the file on your site?

[Igor]

Why don't you simply download jQuery and put the file on your site?

 

What do you mean? Did you mean download the script that does the query? (//cep.republicavirtual.com.br/web_cep.php?formato=javascript&cep=)

 

If so, you can not because I have no access to this file, I use their API.

[dsonesuk]

Not talking about jquery, talking about url using http: within .getscript() while current secure page uses url with https:, which throw insecure error on any urls links using http:.

[Igor]

Not talking about jquery, talking about url using http: within .getscript() while current secure page uses url with https:, which throw insecure error on any urls links using http:.

 

Really I did not understand, I can not change the http to https, there the link does not work ..

Do you know any way to run this same script?

[dsonesuk]

Any links using http on secure page will cause insecure error, using

<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.11.0/jquery.min.js">

Will cause error, while using

<script type="text/javascript" src="//ajax.googleapis.com/ajax/libs/jquery/1.11.0/jquery.min.js">

Will enable link to file on any page wether on unsecured 'http:‘ or secured 'https:‘.Linking to other pages on secure page on same domain OR different domain using 'http:‘ will cause same error unless you use for the same domain a relative path instead of absolute path "/mypage.html" compared to "http://mydomain/mypage.html" OR for different domain "//differentdomain.com/therepage.html" Edited November 4, 2015 by dsonesuk

[Igor]

Any links using http on secure page will cause insecure error, using

<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.11.0/jquery.min.js">

Will cause error, while using

<script type="text/javascript" src="//ajax.googleapis.com/ajax/libs/jquery/1.11.0/jquery.min.js">

Will enable link to file on any page wether on unsecured 'http:‘ or secured 'https:‘.Linking to other pages on secure page on same domain OR different domain using 'http:‘ will cause same error unless you use for the same domain a relative path instead of absolute path "/mypage.html" compared to "http://mydomain/mypage.html" OR for different domain "//differentdomain.com/therepage.html"

 

 

Thanks for the reply.

 

 

So that I know, so much so that I host the "jquery.min.js" within my server, so I use:

<script type="text/javascript" src="/my_site/query.min.js">

The problem is directly with the script that possess the http, I do not know how to solve. :/

Edited November 4, 2015 by Igor

[justsomeguy]

If the remote server does not support HTTPS (which would be kind of stupid, but I guess there are still some servers out there that don't bother with security) then using the local proxy is probably the best solution. You would send an HTTPS request to a PHP script on your server, and that script would use cURL to fetch the remote content and return it. So the request from your browser would go over HTTPS, but PHP on the server would send the request using HTTP to get the remote content. But, hopefully, that Javascript code doesn't try and make any other requests using HTTP because those wouldn't work and you probably wouldn't be able to do much about that. If that's the case then you need to contact them and find a way to use their API over HTTPS, there's not another way. They should support HTTPS anyway, it's not hard or expensive to set up.

[Igor]

If the remote server does not support HTTPS (which would be kind of stupid, but I guess there are still some servers out there that don't bother with security) then using the local proxy is probably the best solution. You would send an HTTPS request to a PHP script on your server, and that script would use cURL to fetch the remote content and return it. So the request from your browser would go over HTTPS, but PHP on the server would send the request using HTTP to get the remote content. But, hopefully, that Javascript code doesn't try and make any other requests using HTTP because those wouldn't work and you probably wouldn't be able to do much about that. If that's the case then you need to contact them and find a way to use their API over HTTPS, there's not another way. They should support HTTPS anyway, it's not hard or expensive to set up.

 

Yes, I even got in touch with them and offered SSL for free, as a courtesy to them, but the problem is that they do not respond.

 

Do you know how would the script the way you spoke? I do not know programming, then it gets complicated, did not find anything related online.

[justsomeguy]

There's a proxy here that contains links to the code and documentation, I would recommend reading through the documentation and maybe some examples:http://benalman.com/projects/php-simple-proxy/For that, you want to set the mode to "native", so you need to enable that in the config options and then set the regular expression so that only requests to that server are allowed. The configuration options only has these lines:

$enable_jsonp    = false;$enable_native   = false;$valid_url_regex = '/.*/';

So change that to this:

$enable_jsonp    = false;$enable_native   = true;$valid_url_regex = '/^http://cep.republicavirtual.com.br/(.*)';

You need to specify that the mode is native, and then the URL, so it would look like this, depending on where you save that PHP file:

jQuery.getScript("ba-simple-proxy.php?mode=native&url=" + encodeURIComponent("http://cep.republicavirtual.com.br/web_cep.php?formato=javascript&cep="+jQuery("#cep").val()), function(){...

[Igor]

There's a proxy here that contains links to the code and documentation, I would recommend reading through the documentation and maybe some examples:http://benalman.com/projects/php-simple-proxy/For that, you want to set the mode to "native", so you need to enable that in the config options and then set the regular expression so that only requests to that server are allowed. The configuration options only has these lines:

$enable_jsonp    = false;$enable_native   = false;$valid_url_regex = '/.*/';

So change that to this:

$enable_jsonp    = false;$enable_native   = true;$valid_url_regex = '/^http://cep.republicavirtual.com.br/(.*)';

You need to specify that the mode is native, and then the URL, so it would look like this, depending on where you save that PHP file:

jQuery.getScript("ba-simple-proxy.php?mode=native&url=" + encodeURIComponent("http://cep.republicavirtual.com.br/web_cep.php?formato=javascript&cep="+jQuery("#cep").val()), function(){...

 

If I understand, I did so:

 

file index.php

<!doctype html><html><head><meta charset="utf-8"><title>xxx</title></head><body>INPUT<script src="/folder1/folder2/cep.js"></script></body></html>

file cep.js

// *** Inicio CEP Automatico *** //function getEndereco() {if(jQuery.trim(jQuery("#cep").val()) != ""){jQuery.getScript("/folder1/folder2/proxy.php?mode=native&url=" + encodeURIComponent("http://cep.republicavirtual.com.br/web_cep.php?formato=javascript&cep="+jQuery("#cep").val()), function(){if(resultadoCEP["resultado"]){jQuery("#rua").val(unescape(resultadoCEP["tipo_logradouro"])+" "+unescape(resultadoCEP["logradouro"]));jQuery("#bairro").val(unescape(resultadoCEP["bairro"]));jQuery("#cidade").val(unescape(resultadoCEP["cidade"]));jQuery("#estado").val(unescape(resultadoCEP["uf"]));}else{alert("Endereço não encontrado!");}});}}

file proxy.php

<?php$enable_jsonp    = false;$enable_native   = true;$valid_url_regex = '/^http://cep.republicavirtual.com.br/(.*)';?>

That's how it should be done?

[justsomeguy]

You need the entire PHP file on the web page that I linked to. The 3 lines of code are part of the configuration options for that PHP file.

[Igor]

Jeez, that ###### I. lol

 

I copied the file but it did not work, I copied just like this one: https://raw.githubusercontent.com/cowboy/php-simple-proxy/master/ba-simple-proxy.php

 

I accessed this file directly and he returned these errors:

Notice: Undefined index: url in /home/user/public_html/proxy.php on line 145Notice: Undefined variable: header in /home/user/public_html/proxy.php on line 194Notice: Undefined index: mode in /home/user/public_html/proxy.php on line 196Notice: Undefined index: full_headers in /home/user/public_html/proxy.php on line 217Notice: Undefined index: full_status in /home/user/public_html/proxy.php on line 229Notice: Undefined index: HTTP_X_REQUESTED_WITH in /home/user/public_html/proxy.php on line 241Warning: Cannot modify header information - headers already sent by (output started at /home/user/public_html/proxy.php:1) in /home/user/public_html/proxy.php on line 242{"status":{"http_code":"ERROR"},"contents":"ERROR: url not specified"}

It is normal appear that?

[justsomeguy]

I guess it's normal, but apparently the guy who wrote that script is lazy. Try this version, make sure to change the configuration options still:

<?php// Script: Simple PHP Proxy: Get external HTML, JSON and more!//// *Version: 1.6, Last updated: 1/24/2009*// // Project Home - http://benalman.com/projects/php-simple-proxy/// GitHub       - http://github.com/cowboy/php-simple-proxy/// Source       - http://github.com/cowboy/php-simple-proxy/raw/master/ba-simple-proxy.php// // About: License// // Copyright (c) 2010 "Cowboy" Ben Alman,// Dual licensed under the MIT and GPL licenses.// http://benalman.com/about/license/// // About: Examples// // This working example, complete with fully commented code, illustrates one way// in which this PHP script can be used.// // Simple - http://benalman.com/code/projects/php-simple-proxy/examples/simple/// // About: Release History// // 1.6 - (1/24/2009) Now defaults to JSON mode, which can now be changed to//       native mode by specifying ?mode=native. Native and JSONP modes are//       disabled by default because of possible XSS vulnerability issues, but//       are configurable in the PHP script along with a url validation regex.// 1.5 - (12/27/2009) Initial release// // Topic: GET Parameters// // Certain GET (query string) parameters may be passed into ba-simple-proxy.php// to control its behavior, this is a list of these parameters. // //   url - The remote URL resource to fetch. Any GET parameters to be passed//     through to the remote URL resource must be urlencoded in this parameter.//   mode - If mode=native, the response will be sent using the same content//     type and headers that the remote URL resource returned. If omitted, the//     response will be JSON (or JSONP). <Native requests> and <JSONP requests>//     are disabled by default, see <Configuration Options> for more information.//   callback - If specified, the response JSON will be wrapped in this named//     function call. This parameter and <JSONP requests> are disabled by//     default, see <Configuration Options> for more information.//   user_agent - This value will be sent to the remote URL request as the//     `User-Agent:` HTTP request header. If omitted, the browser user agent//     will be passed through.//   send_cookies - If send_cookies=1, all cookies will be forwarded through to//     the remote URL request.//   send_session - If send_session=1 and send_cookies=1, the SID cookie will be//     forwarded through to the remote URL request.//   full_headers - If a JSON request and full_headers=1, the JSON response will//     contain detailed header information.//   full_status - If a JSON request and full_status=1, the JSON response will//     contain detailed cURL status information, otherwise it will just contain//     the `http_code` property.// // Topic: POST Parameters// // All POST parameters are automatically passed through to the remote URL// request.// // Topic: JSON requests// // This request will return the contents of the specified url in JSON format.// // Request:// // > ba-simple-proxy.php?url=http://example.com/// // Response:// // > { "contents": "<html>...</html>", "headers": {...}, "status": {...} }// // JSON object properties:// //   contents - (String) The contents of the remote URL resource.//   headers - (Object) A hash of HTTP headers returned by the remote URL//     resource.//   status - (Object) A hash of status codes returned by cURL.// // Topic: JSONP requests// // This request will return the contents of the specified url in JSONP format// (but only if $enable_jsonp is enabled in the PHP script).// // Request:// // > ba-simple-proxy.php?url=http://example.com/&callback=foo// // Response:// // > foo({ "contents": "<html>...</html>", "headers": {...}, "status": {...} })// // JSON object properties:// //   contents - (String) The contents of the remote URL resource.//   headers - (Object) A hash of HTTP headers returned by the remote URL//     resource.//   status - (Object) A hash of status codes returned by cURL.// // Topic: Native requests// // This request will return the contents of the specified url in the format it// was received in, including the same content-type and other headers (but only// if $enable_native is enabled in the PHP script).// // Request:// // > ba-simple-proxy.php?url=http://example.com/&mode=native// // Response:// // > <html>...</html>// // Topic: Notes// // * Assumes magic_quotes_gpc = Off in php.ini// // Topic: Configuration Options// // These variables can be manually edited in the PHP file if necessary.// //   $enable_jsonp - Only enable <JSONP requests> if you really need to. If you//     install this script on the same server as the page you're calling it//     from, plain JSON will work. Defaults to false.//   $enable_native - You can enable <Native requests>, but you should only do//     this if you also whitelist specific URLs using $valid_url_regex, to avoid//     possible XSS vulnerabilities. Defaults to false.//   $valid_url_regex - This regex is matched against the url parameter to//     ensure that it is valid. This setting only needs to be used if either//     $enable_jsonp or $enable_native are enabled. Defaults to '/.*/' which//     validates all URLs.// // ############################################################################// Change these configuration options if needed, see above descriptions for info.$enable_jsonp    = false;$enable_native   = false;$valid_url_regex = '/.*/';// ############################################################################$url = isset($_GET['url']) ? $_GET['url'] : '';$header = $contents = $status = '';if ( !$url ) {    // Passed url not specified.  $contents = 'ERROR: url not specified';  $status = array( 'http_code' => 'ERROR' );  } else if ( !preg_match( $valid_url_regex, $url ) ) {    // Passed url doesn't match $valid_url_regex.  $contents = 'ERROR: invalid url';  $status = array( 'http_code' => 'ERROR' );  } else {  $ch = curl_init( $url );    if ( strtolower($_SERVER['REQUEST_METHOD']) == 'post' ) {    curl_setopt( $ch, CURLOPT_POST, true );    curl_setopt( $ch, CURLOPT_POSTFIELDS, $_POST );  }    if ( isset($_GET['send_cookies']) &&  $_GET['send_cookies'] ) {    $cookie = array();    foreach ( $_COOKIE as $key => $value ) {      $cookie[] = $key . '=' . $value;    }    if ( isset($_GET['send_session']) && $_GET['send_session'] ) {      $cookie[] = SID;    }    $cookie = implode( '; ', $cookie );        curl_setopt( $ch, CURLOPT_COOKIE, $cookie );  }    curl_setopt( $ch, CURLOPT_FOLLOWLOCATION, true );  curl_setopt( $ch, CURLOPT_HEADER, true );  curl_setopt( $ch, CURLOPT_RETURNTRANSFER, true );    curl_setopt( $ch, CURLOPT_USERAGENT, !empty($_GET['user_agent']) ? $_GET['user_agent'] : $_SERVER['HTTP_USER_AGENT'] );    list( $header, $contents ) = preg_split( '/([rn][rn])1/', curl_exec( $ch ), 2 );    $status = curl_getinfo( $ch );    curl_close( $ch );}// Split header text into an array.$header_text = preg_split( '/[rn]+/', $header );if ( isset($_GET['mode']) && $_GET['mode'] == 'native' ) {  if ( !$enable_native ) {    $contents = 'ERROR: invalid mode';    $status = array( 'http_code' => 'ERROR' );  }    // Propagate headers to response.  foreach ( $header_text as $header ) {    if ( preg_match( '/^(?:Content-Type|Content-Language|Set-Cookie):/i', $header ) ) {      header( $header );    }  }    print $contents;  } else {    // $data will be serialized into JSON data.  $data = array();    // Propagate all HTTP headers into the JSON data object.  if ( isset($_GET['full_headers']) && $_GET['full_headers'] ) {    $data['headers'] = array();        foreach ( $header_text as $header ) {      preg_match( '/^(.+?):s+(.*)$/', $header, $matches );      if ( $matches ) {        $data['headers'][ $matches[1] ] = $matches[2];      }    }  }    // Propagate all cURL request / response info to the JSON data object.  if ( isset($_GET['full_status']) && $_GET['full_status'] ) {    $data['status'] = $status;  } else {    $data['status'] = array();    $data['status']['http_code'] = $status['http_code'];  }    // Set the JSON data object contents, decoding it from JSON if possible.  $decoded_json = json_decode( $contents );  $data['contents'] = $decoded_json ? $decoded_json : $contents;    // Generate appropriate content-type header.  $is_xhr = strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest';  header( 'Content-type: application/' . ( $is_xhr ? 'json' : 'x-javascript' ) );    // Get JSONP callback.  $jsonp_callback = $enable_jsonp && isset($_GET['callback']) ? $_GET['callback'] : null;    // Generate JSON/JSONP string  $json = json_encode( $data );    print $jsonp_callback ? "$jsonp_callback($json)" : $json;  }?>