cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - You can change your system assigned username to something more personal in your community settings. X

How to allow HTTP (not just HTTPS) requests in $http services?

lbviana
6-Contributor

How to allow HTTP (not just HTTPS) requests in $http services?

I think my question is pretty straightforward.

We have a local server and we want to send data to it via a http (not https) request. The owner of this server is not planning to make it https. I get it, since it is used by very few people, it is not exposed to the internet and it is an old one.

When doing the request in Vuforia View I don't receive it in the server. In the Vuforia Studio Preview it is working. I tested the service of this server in a Rest API test app and it is working fine, same request and same device as of Vuforia View. So it is looking like an http request block in the app.

 

For me it would make more sense allowing HTTP requests than making the user do another step or ask for the backend team do another service just for that.

 

There is any way to do it? I know that it is possible in other frameworks. Thanks!

 

7 REPLIES 7
sdidier
17-Peridot
(To:lbviana)

Hello Ibviana,

 

From my point of view, it doesn't make sense at all.

It will be a security issue.

 

Vuforia Experience Service and ThingWorx can be setup to use HTTP or HTTPS but not both at the same time.

 

If it is decided to encrypt HTTP data between client and server (so to use HTTPS) why allowing some requests in HTTP not secured ?

 

The right solution is to find the way to use HTTPS everytime when connecting on servers setup to use HTTPS.

 

By the way, this approach is common when using HTTPS.

Please have a look to Apache web server.

When setuping HTTPS, it is common to redirect HTTP requests to HTTPS.

So, if client send an HTTP request, it is automatically converted in client to HTTPS.

 

Best regards,

Samuel

lbviana
6-Contributor
(To:sdidier)

Thanks for your reply @sdidier !

The experience server is setup in https.

I know it is more secure, but i will post data to other server that has a service setup in http. It is an intranet server, that does not connect to the internet. Anyway have to send data to this server. 

Hi @lbviana ,

I think it could be better   to clarify the issue more precisely to be sure that you will get the correct answer

So far I understand you are trying:

1.)to access the server via $http service , right?  according to:

https://docs.angularjs.org/api/ng/service/$http

2.) you want to "send data to server" - so you are try ing a post request

https://docs.angularjs.org/api/ng/service/$http#post

may be some demo code which represent the issue will be better to understand it

3.) working in preview mode but no on end device. The first thing what we need to clarify here is that - there could be difference according to the networks. So you Studio Installation / where the Prieview mode is part of/ is on a local window device  and it possibly  has direct access to the server from the device - may be the both are in the same Intranet / same wlan.  So according your statement “ tested the service of this server in a Rest API test app and it is working fine, same request and same device as of Vuforia View. So it is looking like an http request block in the app.” So it depends on your Experience Server itself is https or http mode is used. (as mentioned by @sdidier ) For example, I am using ES with http where depending on the code , it could be possible to access any http. Another issue we can have a CORS issue - so trying to access to different domain.

In the past I had an discussion with PTC dev team  in an  internal chat and may be it could be helpful for you to share this information there:

 

How to read sensors via Rest API call in and display it Vuforia Studio experience project?
===========================
In this particular cases we have some sensors which  could be accessed  via WLAN/ Web  , where we need to scan /request the values via rest API call. So for example from javascript it should looks like:

The background here is that we have an user who want to display some sensors values in an experience. The problem is that the sensors values should be requested via Rest API call in a local intranet. This means that the end devices ( I tested IOS and Android  and observed the same behavior) are connected to a local router but  have also internet access. So, they could see the Experience Server and could download the experience. But now the experience (javaScript code ) will try to call a Rest APIs  to   local intranet devices , something like:
var url="http://172.16.40.43.5900/api/v0/dev_id=6&size_id=123";
So means the IP address of the device, where the value should be requested via Rest API call is not visible from outside the local wlan. But the mobile devices are connected in the same wlan. Therefore the customer tried to start the rest api call from Experience js code.
So I tested the problem trying to call some http requests according
So here I am refering to :

 

https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/Using_XMLHttpRequest

 

And tested also the fetch construct. There I observed that using a fetch construct according:

 

https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API

 

it was working fine  for https url but for http url it did not work!
Here the following simple sample code:
//this code will work
  fetch('https://jsonplaceholder.typicode.com/todos/6')
  .then(response => response.json())
  .then(json => {console.log(json); })
   .catch(error =>{ console.error(error);})
}; 

//... but the same code will not work for http url
 
fetch('http://ip.jsontest.com/')
  .then(response => response.json())
  .then(json => {console.log(json); })
   .catch(error =>{ console.error(error);})
}; 

 

So this issue there was the following answer form development side:

=======================================================

 

the browser is enforcing some security on the Experience web app.

The preview in localhost is running under http:// normally.  Try the published experience in the browser with a link link this and then the chrome tools can be used to get better messaging and debugging:

 https://<experience service>/ExperienceService/content/projects/<project-name>/index-desktop.html?expId=1#/Home

Because the site is served on https://, the ajax and fetch requests must also be https.  The browser is throwing this error message:

Mixed Content: The page at "...." ... This request has been blocked; the content must be served over HTTPS.

Perhaps there are way to relax the browser security guards to allow it, but its not recommended.

The easiest resolution may be to create a Thingworx service to make the request to the device and then return it.  Thingworx makes integration easy.  

There may be some other ways to serve the data on https with some kind of proxy tool.  A nodejs server, maybe the fiddertool proxy, etc.

 

And further comments:

  @1 

 

 That is correct -you cannot fetch an HTTP resource from a Javascript running in an HTTPS page. You would break the same origin policy and CSRF does not provide a way to switch origin protocol from HTTPS back to HTTP.

You have an alternative, though, to using the ThingWorx Platform as a relay: you can redefine your local REST API to be HTTPS. In this case you will need to trust its certificate from every client running Vuforia View.

If you want to test this within company network (which I did successfully).

Long story short: you need to create a keypair for the service and install+trust the certificate on your device (within the Company  network this requires to get a keypair from IT, because you cannot trust a self-signed certificate on a Company iPhone).

 

@2

 

If I'm understanding this correctly users CAN make HTTPS requests within a mobile experience to get content from external systems but user CANNOT make HTTP requests. Encrypted communication is a good best practice in this case did the customer consider using HTTPS? Why or why not? Thanks!

 

@3 

 

Yes, for me is clear that this was not a good/supported way, and I already suspected that it will be not possible , I documented one possible workaround/ solution in the community:

 

  1. https://community.ptc.com/t5/Studio-Tech-Tips/How-to-read-sensors-via-Rest-API-call-in-and-display-it-Vuforia/td-p/581091
  2. https://community.ptc.com/t5/Studio-Tech-Tips/Node-js-Rest-API-example-how-to-display-data-from-the-local/m-p/581097

Thanks for your reply @RolandRaytchev !

 

Yes I would like to do a post request in a http service in other server. In this request I will send some data to be saved.

The experience server is setup in https and the intranet server (that i will send data) has a service in http.

We don't have the ThingWorx platform, I will try the suggested workarounds.

Anyway, If it works i will let you know.

 

@RolandRaytchev I saw both workaround that you suggested use thingworx plataform and we don't have it. Do you know any other way that don't use the thingworx plataform? Like allowing http requests.

I know that is way safer to use https, but I don't have an https server for that. I talked with the backend team, and they said that the service in this intranet server will not be changed to https in the short-term. My team want to deploy the Augmented Reality App in the short-term. They want to stay with a http service because it is an intranet service and will be upgraded in the future. That is why I am insisting in the http.

 

Anyway, thanks for helping!

Ok, understand but I do not think that there is any easy option to do this. - also, according also to the dev team (previous posts). So far I understood, you use a PTC cloud solution for Experience Service , which is https, right? or do you have  on premises server (local installed) Experience Service?

May be there is still will be some options. One option is  to setup a auxiliary https server (proxy) which will work and only used as intermediate translator  server of you request between you app and the http server. I personally do not have an experience with such solution

Possibly some technique as described in the external (outside of the  PTC community) posts could be helpful :

Hacking It Out: When CORS won’t let you be great

Cross-Origin Resource Sharing (CORS-en-US)       (de)

3 Ways to Fix the CORS Error — and How the Access-Control-Allow-Origin Header Work

How to get a cross-origin resource sharing (CORS) post request working

Yes, we use a PTC cloud solution for Experience Service. I didn't participate in this PTC Cloud Server implementation, there is the possibility to create another proxy service in there?

I will see those posts you metioned, thanks!

Announcements

Top Tags