0

I am using a sub domain to reduce size of website . i just want to link the script from sub domain. Scripts work perfectly well while linked with the same domain, but it is not working while linked with the sub domain. for example

my domain = https://www.test.com

sub domain = http://abc.test.com

and i am using =

 <script src= "http://abc.test.com/js/combodate.js"  type="text/javascript"></script>
Nits
  • 1
  • 2
  • 2
    "not working" is a poor problem statement. What does the Console in your browser's developer tools say? What does the Network tab show — e.g. is the script loading with a 200 OK response — ? – Quentin Oct 12 '16 at 10:54
  • `http://abc.test.com/js/combodate.js` redirects to an HTML document. Is that your real URL? If not, use `example.com`, that domain is provided specifically for giving examples. – Quentin Oct 12 '16 at 10:55
  • @Quentin hi .. there is no error on console , or when i click on the link in view page source , it shows me the script . but it is not working ... – Nits Oct 12 '16 at 10:56
  • @PunitGajjar i already mentioned .. i am not getting any error ... – Nits Oct 12 '16 at 11:00
  • 1
    @Nits — and the Network tab says what? – Quentin Oct 12 '16 at 11:00

2 Answers2

2

Your error is pretty obvious from what I can see:

Your main website url uses https:// but your script subdomain uses http://, and as modern browsers have a fully-safe-domain policy currently (no different protocols for loading resources, all should be on the same protocol as the main domain, aka the one you accessed the website through), your subdomain should also use https:// or your main domain should use http://.

As stated on MDN's page about mixed content most browsers only let mixed passive/display content(<img>, <audio>, <video> and <object>(subresources)) load through mixed content, but rather <script>, <link>, XMLHttpRequest, <iframe>, in-css url() and <object>(data attribute) are active content and as such, could be subject to a Man-in-the-middle attack, therefore browsers do not allow loading of active content in a mixed environment (tl;dr use https for both js and your main website or http both js and main website).

It is also worth to note that the inverse (resources on https:// and main page on http://) works as expected because the https connection to the resource is not subject to man in the middle attacks and since the page is on http:// browsers do not consider it a "security critical area" so you are able to load content through both http:// and https://

GGG
  • 640
  • 1
  • 9
  • 27
  • An answer to his question is JSONP in my opinion. Not a problems with protocol. – Dawid Rutkowski Oct 12 '16 at 10:57
  • 2
    @dawidr Try to use `http://` and `https://` with chrome and it'll give out a mixed content warning and not load the Js on the unsecure domain. – GGG Oct 12 '16 at 10:58
  • @GGG — The OP says there is no error on the console though. – Quentin Oct 12 '16 at 10:59
  • It's not an error but rather a warning. [Chrome silently](https://stackoverflow.com/questions/18321032/how-to-get-chrome-to-allow-mixed-content) kills [of mixed content](https://productforums.google.com/forum/#!topic/chrome/OrwppKWbKnc) and [so does firefox](https://support.mozilla.org/en-US/kb/mixed-content-blocking-firefox?redirectlocale=en-US&redirectslug=how-does-content-isnt-secure-affect-my-safety) – GGG Oct 12 '16 at 11:00
  • @GGG yeah . i think you got me correct . is there any solution to go with the same http subdomain, – Nits Oct 12 '16 at 11:05
  • @GGG or there is any way to link with the http sub domain to https subdomain... Thanks – Nits Oct 12 '16 at 11:09
  • 1
    @Nits There's no way unless you make your subdomain also be https (or the main domain be http) as browsers will block the content by any means possible unless you disable that security option (but in production that wouldn't be viable, imagine a website with a popup saying: "please disable X security option so our website can work"...). – GGG Oct 12 '16 at 11:10
-3

Try adding the following to your html page:

<script src="http://abc.test.com/js/combodate.js" type="text/javascript"></script>

It is important to:

  1. Make sure you use the src attribute
  2. Make sure you open and close the <script></script> tag
Daniel Apt
  • 2,468
  • 1
  • 21
  • 34