CORS ajax call to self-signed secure URL

Question

I have a website hosted on domain-a.com, which we are about to install an SSL certificate on. The certificate is issued by a CA so it will be trusted by browsers.

After pageload on domain-a.com, an ajax call is made to domain-b.com using CORS to retrieve some additional information to display on the page.

I have two questions:

1. Do I also need to install an SSL certificate on domain-b.com? What will happen in the users browser if I don't?

2. If I do install an SSL certificate on domain-b.com, but I use a self-signed certificate as opposed to one issued by a CA, will that work, or will there be warnings/errors thrown by the user's browser?

Answer 1

I set up some test pages to see how this behaved, and it looks like you do need to install SSL on domain-b.com. Most browsers I tested blocked the nonsecure content. Others gave a warning. The same things happened if domain-b.com had a self-signed certificate. The connection was still blocked.

The simplest and cheapest solution I found was to install a free SSL certificate from StartSSL on domain-b.com. This CA seems to be recognized by the browsers I tested on so the connection to domain-b.com works fine. If anyone sees any issues with this that I'm not thinking of, please let me know.