1

I am using MSXML6 in a vbscript-like code to download data over HTTP. But the server now requires connections to upgrade to HTTPS. This is causing the xmlhttp object to fail with the error "msxml6.dll: Access is denied."

Set http = CreateObject("msxml2.xmlhttp.6.0")
http.open "Get", URL, False 'false is for 'async'
http.send

Using a sniffing tool, the operation stops after receiving the redirection-to-https response, and the error is generated without further details.

Requesting http://host/doc.php (plain http), the returned headers look something like this:

HTTP/1.1 301 Moved Permanently
Date: Fri, 19 Jul 2019 23:59:30 GMT
Content-Type: text/html; charset=iso-8859-1
Transfer-Encoding: chunked
Connection: keep-alive
Location: https://host/doc.php
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server: cloudflare

However, if the requested URL is already https, the operation resumes normally without any complaint.

Is there anything I can do on the server side to convince xmlhttp to upgrade the connection to https peacefully?

Updating the code in the client application is out of the question as it is a legacy application with so many users out there using it, without an update mechanism.

Asking the users to update the URL adding an "s" after http is workable but too much hassle, as reaching them to tell them is also not easy at all.

Edit:

The conclusion is in this comment. The summary is that this is a client-side protection feature and it cannot be overridden from the server side.

Sam Sirry
  • 631
  • 5
  • 22
  • I tried also redirecting to another host.domain.tld which is served by plain http, but the same "access is denied" error appears. This seems to be a "feature" to avoid connecting to a different host than the one requested. – Sam Sirry Jul 19 '19 at 20:05
  • You should be using the `ServerXMLHTTP` to avoid issues like this see [Xmlhttp request is raising an Access Denied error](https://stackoverflow.com/a/36292949/692942). – user692942 Jul 21 '19 at 19:48
  • Also, it's a small point but the comment `false is for 'async'` is incorrect. It's asynchronous by default which is `True` not `False`, what you have there is a synchronous request. – user692942 Jul 21 '19 at 20:06

1 Answers1

1

The problem as mentioned in Xmlhttp request is raising an Access Denied error is you need to use the Server version of XMLHTTP that isn't restricted to accessing sites trusted by IE and restricted by the IE security policies. This is because XMLHTTP is designed for client-side whereas ServerXMLHTTP is specifically designed for server-side usage.

user692942
  • 16,398
  • 7
  • 76
  • 175
  • The issue is happening on client-side. It seems the XMLHTTP refuses redirections to https or another host by default. This is what I'm trying to overcome. – Sam Sirry Jul 21 '19 at 23:37
  • 1
    Another answer (https://stackoverflow.com/a/43968140/4117210) in the link you shared points to IE settings for "Accessing data sources across domains". This has led me to reading about COR and understanding that this is a client protection for Cross-Origin-Resource fetching. It might get mitigated by adding the "Access-Control-Allow-Origin" header to the server's responses. However, this IE setting is set to Disabled by default which means that IE wouldn't even bother to check the headers of the target page. So, the final answer for this is that it cannot be done due to client-side protection. – Sam Sirry Jul 22 '19 at 02:55
  • 1
    Your answer helped me find the conclusion, and you deserve the bounty :) Thank you! (oh, it says I cannot award before a few hours pass...) – Sam Sirry Jul 22 '19 at 02:56