Can a Twitch extension send a request over an insecure connection if only an HTTP response code is returned? The documentation says no mixed data, but what if there is no data?
I am trying to streamline the communication between the frontend and application, and would like to avoid touching the EBS for everything. I know that some insecure communication is allowed with some of the Twich stuff, because I have seen many applications that can perform chat functions and even issue polls on channels directly. All I am wanting to do is send a request from the frontend that tells the application “do this thing” and the application either responds with a success or failure code. I don’t even need to send any data, just the URL. Is it possible?
You mean
Can a website over SSL send a request over an insecure connection
The answer is:
Under normal operation no.
As it will be blocked by browser security, as this is “mixed content” and SSL contexts cannot communicate with non SSL contexts*
*ignoring certain specials cases which are not worth discussing here as cannot be utilised for your use case
Yeah, I guess that makes sense. I remember a few years back when I was asked a similar question about a page on a regular web server. I was able to make it work through CORS for the specific instance, but suggested it wasn’t a good idea.
I guess I’ll just deal with the added delay and 100x the necessary code.
CORS won’t apply as the browser blocks the outbound request.
Broadly speaking (and without checking RFC’s) the order of operations is
- Browser attempts request
- Browser does bacic checks (ssl boundaries etc)
- Browser does CSP checks (from the server the website is on)
- Browser makes request
- Browser checks CORS (on the destination server)
- Browser processes response
So going HTTPS->HTTP (or HTTPS->WS) will fail at step 2, due to mixed content.