Is it possible to prevent browsers making cross scheme CORS requests?

Question

I'm creating an API intended to be used by Javascript clients hosted on different domains via CORS requests.

My API can only be accessed via HTTPS.

I'd like to restrict access to only those Javascript clients that are also served from HTTPS domains.

Reading the CORS spec - http://www.w3.org/TR/cors/#user-agent-security - it appears that most user agents will automatically prevent HTTPS client to HTTP API requests.

Is it possible to require the reverse - i.e. prevent HTTP clients accessing my HTTPS API?

Answer 1

What about checking the Referer header to see if it begins with "https"? You could also verify that the Referer matches the Origin domain as a sanity check.

Answer 2

I realize this is a bit late in coming, but I happen to be browsing CORS questions today.

The answer is to look at the "Origin" header in the request. If it doesn't start with https: then reject the request. I'm not sure what the best status code is to use, though. Probably a 403 Forbidden response.

Answer 3

You should configure your server to allow only https calls on your API.