javascript - Can I use https for local development? -
i'm attempting slight variation of google+ web sign-in server side flow described on google developer's website.
google's gapi code giving error message:
uncaught securityerror: blocked frame origin "http://my-development-system.dev" accessing frame origin "https://accounts.google.com". frame requesting access has protocol of "http", frame beingness accessed has protocol of "https". protocols must match.
am right in saying local development scheme cannot set utilize https protocol?
this not differing protocol (http on site vs https on accounts.google.com), because domain not match (and port matter), restriction imposed same origin policy.
this policy stops www.evil.com loading site such www.bank.com within frameset (or popup window if framing disabled) , accessing dom. if dom accessed, massive security risk website read private info on site.
it possible allow access implementing cors policy , outputting server side headers allow other specified domains read content, on google's side in case. unless https://accounts.google.com implements cors policy, not able create client-side variation of server side flow. barrier if cors implemented not allow access dom. however, you'd able retrieve content domain, protocol or port via ajax calls. target site have output access-control-allow-credentials: true header in order authentication credentials (i.e. cookies in case) sent request , response read domain.
can utilize https local development?
to reply original question, reply yes. can self-signed certificate purposes , not impact particular error message in browser (as you, browser user has chosen take , trust certificate).
javascript cors google-oauth same-origin-policy
No comments:
Post a Comment