Skip to main content
L
lbviana1-Visitor
1-Visitor
May 22, 2020
Question

How to allow HTTP (not just HTTPS) requests in $http services?

  • May 22, 2020
  • 2 replies
  • 9890 views

I think my question is pretty straightforward.

We have a local server and we want to send data to it via a http (not https) request. The owner of this server is not planning to make it https. I get it, since it is used by very few people, it is not exposed to the internet and it is an old one.

When doing the request in Vuforia View I don't receive it in the server. In the Vuforia Studio Preview it is working. I tested the service of this server in a Rest API test app and it is working fine, same request and same device as of Vuforia View. So it is looking like an http request block in the app.

 

For me it would make more sense allowing HTTP requests than making the user do another step or ask for the backend team do another service just for that.

 

There is any way to do it? I know that it is possible in other frameworks. Thanks!

 

2 replies

S
sdidier17-Peridot
17-Peridot
May 25, 2020

Hello Ibviana,

 

From my point of view, it doesn't make sense at all.

It will be a security issue.

 

Vuforia Experience Service and ThingWorx can be setup to use HTTP or HTTPS but not both at the same time.

 

If it is decided to encrypt HTTP data between client and server (so to use HTTPS) why allowing some requests in HTTP not secured ?

 

The right solution is to find the way to use HTTPS everytime when connecting on servers setup to use HTTPS.

 

By the way, this approach is common when using HTTPS.

Please have a look to Apache web server.

When setuping HTTPS, it is common to redirect HTTP requests to HTTPS.

So, if client send an HTTP request, it is automatically converted in client to HTTPS.

 

Best regards,

Samuel

L
lbviana1-VisitorAuthor
1-Visitor
May 26, 2020

Thanks for your reply @sdidier !

The experience server is setup in https.

I know it is more secure, but i will post data to other server that has a service setup in http. It is an intranet server, that does not connect to the internet. Anyway have to send data to this server. 

R
RolandRaytchev21-Topaz I
21-Topaz I
May 25, 2020

Hi @lbviana ,

I think it could be better   to clarify the issue more precisely to be sure that you will get the correct answer

So far I understand you are trying:

1.)to access the server via $http service , right?  according to:

https://docs.angularjs.org/api/ng/service/$http

2.) you want to "send data to server" - so you are try ing a post request

https://docs.angularjs.org/api/ng/service/$http#post

may be some demo code which represent the issue will be better to understand it

3.) working in preview mode but no on end device. The first thing what we need to clarify here is that - there could be difference according to the networks. So you Studio Installation / where the Prieview mode is part of/ is on a local window device  and it possibly  has direct access to the server from the device - may be the both are in the same Intranet / same wlan.  So according your statement “ tested the service of this server in a Rest API test app and it is working fine, same request and same device as of Vuforia View. So it is looking like an http request block in the app.” So it depends on your Experience Server itself is https or http mode is used. (as mentioned by @sdidier ) For example, I am using ES with http where depending on the code , it could be possible to access any http. Another issue we can have a CORS issue - so trying to access to different domain.

In the past I had an discussion with PTC dev team  in an  internal chat and may be it could be helpful for you to share this information there:

 

How to read sensors via Rest API call in and display it Vuforia Studio experience project?
===========================
In this particular cases we have some sensors which could be accessed via WLAN/ Web , where we need to scan /request the values via rest API call. So for example from javascript it should looks like:

The background here is that we have an user who want to display some sensors values in an experience. The problem is that the sensors values should be requested via Rest API call in a local intranet. This means that the end devices ( I tested IOS and Android and observed the same behavior) are connected to a local router but have also internet access. So, they could see the Experience Server and could download the experience. But now the experience (javaScript code ) will try to call a Rest APIs to local intranet devices , something like:
var url="http://172.16.40.43.5900/api/v0/dev_id=6&size_id=123";
So means the IP address of the device, where the value should be requested via Rest API call is not visible from outside the local wlan. But the mobile devices are connected in the same wlan. Therefore the customer tried to start the rest api call from Experience js code.
So I tested the problem trying to call some http requests according
So here I am refering to :

 

https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/Using_XMLHttpRequest

 

And tested also the fetch construct. There I observed that using a fetch construct according:

 

https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API

 

it was working fine for https url but for http url it did not work!
Here the following simple sample code:

//this code will work
 fetch('https://jsonplaceholder.typicode.com/todos/6')
 .then(response => response.json())
 .then(json => {console.log(json); })
 .catch(error =>{ console.error(error);})
}; 

//... but the same code will not work for http url
 
fetch('http://ip.jsontest.com/')
 .then(response => response.json())
 .then(json => {console.log(json); })
 .catch(error =>{ console.error(error);})
};

 

So this issue there was the following answer form development side:

=======================================================

 

the browser is enforcing some security on the Experience web app.

The preview in localhost is running under http:// normally. Try the published experience in the browser with a link link this and then the chrome tools can be used to get better messaging and debugging:

 https://<experience service>/ExperienceService/content/projects/<project-name>/index-desktop.html?expId=1#/Home

Because the site is served on https://, the ajax and fetch requests must also be https. The browser is throwing this error message:

Mixed Content: The page at "...." ... This request has been blocked; the content must be served over HTTPS.

Perhaps there are way to relax the browser security guards to allow it, but its not recommended.

The easiest resolution may be to create a Thingworx service to make the request to the device and then return it. Thingworx makes integration easy. 

There may be some other ways to serve the data on https with some kind of proxy tool. A nodejs server, maybe the fiddertool proxy, etc.

 

And further comments:

  @1 

 

 That is correct -you cannot fetch an HTTP resource from a Javascript running in an HTTPS page. You would break the same origin policy and CSRF does not provide a way to switch origin protocol from HTTPS back to HTTP.

You have an alternative, though, to using the ThingWorx Platform as a relay: you can redefine your local REST API to be HTTPS. In this case you will need to trust its certificate from every client running Vuforia View.

If you want to test this within company network (which I did successfully).

Long story short: you need to create a keypair for the service and install+trust the certificate on your device (within the Company network this requires to get a keypair from IT, because you cannot trust a self-signed certificate on a Company iPhone).

 

@2

 

If I'm understanding this correctly users CAN make HTTPS requests within a mobile experience to get content from external systems but user CANNOT make HTTP requests. Encrypted communication is a good best practice in this case did the customer consider using HTTPS? Why or why not? Thanks!

 

@3 

 

Yes, for me is clear that this was not a good/supported way, and I already suspected that it will be not possible , I documented one possible workaround/ solution in the community:

 

  1. https://community.ptc.com/t5/Studio-Tech-Tips/How-to-read-sensors-via-Rest-API-call-in-and-display-it-Vuforia/td-p/581091
  2. https://community.ptc.com/t5/Studio-Tech-Tips/Node-js-Rest-API-example-how-to-display-data-from-the-local/m-p/581097
    L
    lbviana1-VisitorAuthor
    1-Visitor
    May 26, 2020

    Thanks for your reply @RolandRaytchev !

     

    Yes I would like to do a post request in a http service in other server. In this request I will send some data to be saved.

    The experience server is setup in https and the intranet server (that i will send data) has a service in http.

    We don't have the ThingWorx platform, I will try the suggested workarounds.

    Anyway, If it works i will let you know.

     

    Terms & ConditionsCookie settingsAccessibility statement