Hello unfortunately the site I am working on has no SSL certificate or anything (Kinda stupid but nothing I can do). I am implementing google+ sign in on the site and the JavaScript is all working, I get the access token back and everything as well.
The Problem is when it comes time to send the data off to the server for verification before signing a user in, is it ok to send the access token over HTTP or do I NEED SSL for that. I have tried getting CORS to work with Ajax but I keep getting a
"Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://www.mysite.com/Store/google_login. This can be fixed by moving the resource to the same domain or enabling CORS."
It works over over HTTP obviously but I have no idea how to get it working using HTTPS, it just keeps bringing back that same error.
I tried putting these headers at the beginning of the google_login function, even tried it with .httaccess instead and still nothing.
header("Access-Control-Allow-Origin: https://www.mysite.com");
header("Access-Control-Allow-Headers: Cache-Control, X-CSRF-Token, X-Requested-With, X-File-Name, X-File-Size");
So any ideas on what to do? Can I just use HTTP, maybe somehow encrypt it before sending it, I doubt it but I don't know what else to do to get cors working, the server has no SSL certificate by the way, could that be the problem? I have no way to fix that either unfortunately