ssl_requirement ajax call from non https to https

I have a page that has nothing on it that needs to be secured by SSL,
except when someone wants to hit an ajax request to login.

I don't want to secure every page, just so that when I render a
partial that needs to be https, it'll be protected.

I'm using the ssl_requirement plugin.

Any ideas on what to do? Is this even possible? Or will I have to
encrypt every single page? I'd rather not do popup windows,
everything's nice and slickly inserted with cool DOM manipulation.

Thanks!

I have a page that has nothing on it that needs to be secured by SSL,
except when someone wants to hit an ajax request to login.

I don't want to secure every page, just so that when I render a
partial that needs to be https, it'll be protected.

I think that single origin policy says you can't do that. If your
login form is a regular form then you'll be ok.

Fred

Yes, but a regular form will submit non ssl encrypted information, so
that would defeat the purpose.

So I need to render the partial as https... but only when I need.

Currently there's a link_to_remote that hits an action that's
ssl_required, but that doesn't work unless the page that's going to
render that partial through ajax is also ssl_required.

Since this link_to_remote lives everywhere, that'd mean my entire site
needs to be secured by ssl. That's ridiculous. I'm sure this is a
common problem, what are people doing to solve this issue?

Yes, but a regular form will submit non ssl encrypted information, so
that would defeat the purpose.

Not if you set the url for that normal form to be an https one. Still
doesn't help you as far as the ajaxyness goes. Is it not acceptable
for the link_to_remote to insert into the page a form (and for that
form submit to be a regular non ajax form) ?

Fred

So if I modified my form to use a https protocol, I could load up the
form without it being https, and the submission would still be SSL
secured?

So if I modified my form to use a https protocol, I could load up the
form without it being https, and the submission would still be SSL
secured?

Yup, that should work (with a non ajax form)

Fred

In theory it should work, but with this ssl_requirement plugin, it's
still not happy. When I try to give my form a protocol, it does a few
different things:

:protocol => 'https'

yields this on my localhost (for testing): httpslocalhost/controller/
action

Which is really weird. And nothing happens if I give it the https://
protocol.

It might be a problem with my lighty setup proxying the ssl over to
the mongrel. I know lighty sits on port 80, so it might not be hit
correctly, while ssl_requirement will forward you correctly.

Any other ideas?

Thanks again for your help so far.

In theory it should work, but with this ssl_requirement plugin, it's
still not happy. When I try to give my form a protocol, it does a few
different things:

:protocol => 'https'

yields this on my localhost (for testing): httpslocalhost/controller/
action

hmm, protocol => 'https://' should work if i recall correctly.
As a test, does it work if you specify the url in full (ie just
hardcode https://localhost/foo/bar) ?

Fred

protocol => 'https://' does work, but it's weird that we have to
include the ://.

Anyway, I ended up using the iframe trick of doing a target in the
form tag.

I still can't believe more people don't have this issue?

I'm getting a problem now that it's no longer AJAX'y. I'm using a
responds_to_parent plugin which doesn't seem to be working either.

Nobody else has ever come across this issue?