Construct 3 AJAX Crossdomain help

Just posted this reply elsewhere. See if this fixes it:

https://www.construct.net/en/forum/construct-3/general-discussion-7/ajax-changed-recently-not-140404#forumPost975309

Well.. I have Access-Control-Allow-Origin: "*" set on my server. My problem is from local browser preview.construct.net ajax is not working and from one of my devices samsung J6+ not working. On this 2 cases AJAX error triggers but i cant see what error. Ajax.LastData is empty

I have another device samsug J5 and Samsung note 8 and is working on them

Dont care now about allow origin from * is a big security issue im in dev mode right now.

I cant see the patern here... im trying to make the app to work on most of mobile phones

Maybe im missing something?

Sorry for my bad english.

Your English is just fine.

Yea, it's pretty annoying not to see what the actual AJAX error is.

If you read further down that post above there's some code to log incoming requests to file so you can actually see if the AJAX requests are coming through. That would be my first test to see if the various devices are even making the requests and if they are, do they have an origin.

Did that.

When i try the app from my J5 my ip logs in httporigin.log but when i try from construct 3 browser or J6+ nothing is writen in httporigin.log

Its like something from construct 3 host (or my local browser) and from samsung J6+ browser is blocking the AJAX action this is the only reason i think, but what and how can i solve this problem?

:(

Ok, that's a start.

If you see an IP in the httporigin.log then that means that it's being called from somewhere outside of your domain and I'd be surprised if it gave a response. What you should see is something like this:

preview.construct.net

mydomain.com

My next question. Do you have an HTTPS certificate on the site you're trying to access?

And this brings up another question. If you're accessing it from the phone's browser, which browser are you using? The Samsung browser or Chrome?

Well on my PC im using chrome and on the mobile devices chrome as well

What i see in the httporigin.log right now is 79.118.33.7 witch is my provider ip atm, and this is writen when i access Myapp from J5.

If i access it from Construct browser or J6+ nothing is added in httporigin.log (im clearing text from httporigin.log every try i make a AJAX call)

I do not have HTTPS certificate on the server. Maybe this is a problem?

I do not have HTTPS certificate on the server. Maybe this is a problem?

That is almost definitely the problem.

I'm going to venture a guess that the J5 is using an older version of Chrome that allowed you to access non secure sites but it doesn't give the http origin as a security measure, which would normally get blocked by AJAX being off-site. That's most likely is why you're seeing it's IP and not an origin. You may have been allowed to run your previous script as it allowed any site to run it. My script only allows specific sites to access it so it would have failed to run.

The J6 and the desktop are using newer versions of Chrome which are simply refusing to let you go from a secure site (https://preview.construct.net) to your insecure site (http://www.mysite.com) which is why they're not even attempting to make the AJAX call.

It's the same problem the other guy was having in the post I linked to: trying to make an AJAX call to a http site.

Found it.

This kinda explains it. It's called 'mixed content'

developers.google.com/web/fundamentals/security/prevent-mixed-content/what-is-mixed-content

It's not that it isn't supported, it's a security hole for HTTPS. When you go from a HTTPS site and make a request to a HTTP site, it falls under the 'mixed content' and gets blocked.

If you made the AJAX call from an HTTP site to another HTTP site, it would likely have gone through without issue. It was the call from HTTPS to HTTP that caused the problem.

preview.construct.net is an HTTPS site.