Scheme relative URL - url

There are a lot of questions on SO regarding scheme relative URL, but I don't understand what will happen in these scenarios:
1) I am on HTTPS clicking on href="//example.com/" (example.com doesn't have SSL (it's HTTP), so browser will try to open HTTPS://example.com/ (because it wants to match the current scheme) and if there won't be HTTPS scheme it will open HTTP://example.com/?
2) Vice-versa going from HTTP to HTTPS, when the target //example.com/ is only HTTPS. Will browser open HTTPS if the destination target does not have HTTP?

The browser will try to open the URL using the same scheme it's currently on; if it's currently on HTTPS, it will request the URL with HTTPS and vice versa for HTTP. If the target server does not support that scheme, it will simply fail. In case of a server which only supports HTTPS, that usually means that it enforces HTTPS; if you make an HTTP query to that server it often simply redirects to the HTTPS version of the same page. That's entirely up to the server to do though.
If a server only supports HTTP, that usually means that it doesn't have HTTPS at all. In that case an HTTPS request would simply fail and the browser will display an error message along the lines of "couldn't establish a secure connection/couldn't connect to server".

I have found the way how to do this with some inspiration from the answer on how to link to different port as I needed to do both. The way is:
<a href="/vnc.html" onclick='javascript:event.target.port=6080;event.target.protocol="https:"'>VNC connection</a><br />

Related

is it possible to restrict access by using ipaddress?

I have recently installed ssl certificate to a site.
I tried accessing the site using ip address
133.255.214.180
it redirects to
https://133.255.214.180/
it then shows that "your connection is not private" ssl certificate error. I had bought ssl certificate for domain name and not ip address.
when i access using the domain name for example
www.example.com
then it redirects to
https://www.example.com
without ssl certificate error.
I used redirection in nginx as
server {
listen 80;
server_name 133.255.214.180;
return 301 https://www.example.com;
}
I want to make it so that when the user types in the ip address at the url bar of the browser then it redirects to the domain name i.e https://www.example.com so that it doesnt show ssl certificate error. Is this possible to achieve?
I appreciate any help. Thanks!
HTTPS handshake is done before sending the actual request, so if you type https://something_without_valid_cert you will always receive that error.
With sending the request I mean even "opening" the HTTP communication, including sending back the redirect.
The reason is very simple, if the certificate is not valid you cannot trust the server, it could respond with anything, including a malicious redirect.
Your nginx configuration should work if you type http://the_ip_address. Because you send back a 301 (Moved Permanently) the browser next time will perform the redirect automatically without calling the server.

Can you force YouTube embed to use HTTP only (not HTTPS)?

Can you embed a YouTube video using HTTP - so that all resources requested use HTTP requests instead of HTTPS requests?
I tried modifying the URL of the embed to start with http:// instead of https:// but both version result in HTTPS requests being made.
No way Google would allow it's sites to use HTTP only. HTTPS is the default setting for Google's domains as mentioned in Protecting data for the long term with forward secrecy
You should also use HTTPS, for your own security.

Reading iOS app requests via ssl proxy

I'm trying to use Charles/burb suite to read request responses sent from an iOS app to a server. The requests are sent via SSL so I've enabled an SSL proxy and installed a cert on my iPhone. This seems to work fine. However the request response and post are still unreadable. Note the response headers are readable just not the actual message.
Is there a way to make the response readable or is this a result of SSL pinning?
1) You have to add the iOS device certificate (which you have done).
2) You need to add locations to the SLL Proxying table.
From the menu: Proxy--->SSL Proxy Settings...--->SSL Proxying
Click Add.
In the Host box, put the site name to translate (use wildcards if needed). Example: *.mysite.com
Leave the Port blank.
Click OK.
Make sure Enable SSL Proxying is checked, and your host filter is also checked.
Click OK.
Restart Charles.

Box.com api redirect URL to localhost

I'm trying to do some initial testing in my local environment with box.com api. I've registered the api key and I'd like to put a localhost url in redirect uri form field but it seems like it only allows https (which I don't have in localhost). Message returned:
OAuth2 redirect URL must specify a valid URL and must not be http://
The requirement for the https is a good thing. While you are still in dev it would still be an active auth token transmitted in plain text if sent to http:// which someone could grab and use to mess with your box.net account.
You are going to need to generate a self signed certificate and install that locally to allow for this to work.
How can I create a self-signed cert for localhost?
Another option to further enhance this would be to actually buy the SSL that you are going to need for this project when it goes live and use a local dns redirect via your hosts file to load the domain off your local dev machine as opposed to the live server.
Box has updated itself to allow localhost to be http://. For other URIs, you need https://

Does iOS send HTTPS requests through the HTTP proxy?

I am trying to write up an HTTP proxy server in node.js, and I have successfully managed to route unsecure HTTP connections through it. But when applications (on my iOS device) use HTTPS for APIs 'n such, it always throws an error, and the attempted HTTPS connection never hits the server. So there are a few explanations of what could possibly be happening:
iOS chooses not to send HTTPS connections over the proxy for security reasons
iOS is looking for an HTTPS connection at the server on a different port, but can't find one
Basically what I am asking is: What does iOS do with HTTPS connections when an HTTP proxy is configured?
Please ask for any details or further questions in the comments. Thanks.

Resources