Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Choose protocol based on current protocol. #15

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Choose protocol based on current protocol. #15

wants to merge 1 commit into from

Conversation

jnehlmeier
Copy link

This avoids Same-Origin-Policy errors for HTTPS sites that have a SSL capable reverse proxy in front of Shoutcast server.

Introduces new option 'secure_port' used when 'https' protocol is used.

@jnehlmeier
Choose protocol based on current protocol.
9dec380 
This avoids Same-Origin-Policy errors for HTTPS sites.
@thesolver
Copy link

I'm having a hard time looking at the code, but although it would seem that if the parent page is https, the stream should be called https, if the page is http, a user may want to call the stream https regardless. Does your edit allow for this? (E.g. "force_secure"?)

@jnehlmeier
Copy link
Author

The Same-Origin-Policy of browsers generally forbids such requests. Your page runs under a specific protocol:host:port combination, e.g. http://example.com. You can not make a request to any other combination, e.g. https://example.com or http://example1.com. Browsers forbid that.
This would only be possibly if the server you want to send a request to, allows the browser to make an exception for your domain. It can do so by setting appropriate CORS HTTP headers.

So while my edits could be enhanced to allow such a "force_secure" option, the server must allow it as well. If you can not control the server, such an option is useless.

Personally I think you better make your page use HTTPS as that is the new default these days. Basic SSL certificates are free on nearly all hosting services and some browsers actually already show warnings if a page does not use HTTPS.

So I think a "force_secure" option is not really needed.

@thesolver
Copy link

Hmmm...I may not be understanding you correctly. If you are saying that a browser like Chrome will not accept http when the overall page is https, I agree. If you are saying that Chrome will not allow https within an overall page called http, then my experience (even today) is that's not true (with a hacked version of this library specifically). I agree with making pages https, otherwise I wouldn't even be writing about all this on Github. :-)

(It came out of switching to SSL and having jquery-shoutcast not work.)

But, even though I agree with SSL, many folks use low cost/free alternatives for their radio station web sites, and those may not provide the luxury of cheap SSL. I'm not saying my "force_ssl" option would be of frequent use, but it would better support folks who do a web site on the cheap. I spend to much money on my stuff, so your solution would work fine for me.

Thanks for the response!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jnehlmeier @thesolver