I would like to invite your considered opinion to help me decide between the following two origin policies for my Ajax app:
- Load all my assets from HTTPS: //www.mydomain.com
- Load most of the dross via HTTP: //www.mydomain.com and use HTTPS: //www.mydomain.com only for sensitive data exchanges.
Plus: Ajax is easy. No problems with Same Origin Policy.
Plus: PUT method offers large payloads.
Plus: Network error messages can be fed back to the user.
Minus: Server needs to sweat more to encrypt all that dross that makes up a web site. Browser needs to sweat more decrypting it all. Overall slower user experience.
Plus: Faster user experience as browser and, more importantly, my server do less cryptography.
Plus: Ajax still easy via JSONP work-around to SOP (*).
Minus: GET method on JSONP limits payload to 2K – may become an issue.
BIG Minus: Cannot find any way to grab status response from header following network errors (of whatever kind). User information cannot extend beyond “My bad”.
Any thoughts?
(*) BTW, I would really appreciate if someone could give me an example of a security vulnerability brought on by a switch of protocol on the same domain. I understand that these are different servers, but so what? They are on my domain. I control them. I do not understand the concern.
Use SSL. Did you benchmark the performance loss for SSL? In general, modern computers are fast and SSL encryption/ decryption overhead is negligible. See How much overhead does SSL impose? for some discussion on the subject.
Not having to use JSONP, being able to use HTTP PUT, and all the other benefits you outlined are worth more than a few cpu cycles in my book.