+ Start a Discussion

AJAX Remote Proxy and "Endpoint protocol mismatch" error

Recently I have a chance to use a new feature called "AJAX Proxy", which enables the web service callouts from S-Control pages, and just tried it to access an external XML web services. But I got a following error when invoking a web services which is provided via "http" scheme. The error tells me that  "400 Endpoint protocol(http/https) mismatch:".

I can't understand why such a restriction has been introduced. I'm seeing it is kind of excessive regulation and narrowing the possibility of AJAX Proxy. I can work around it by setting my S-Control page url from https: to http:, but changing user's page unsecure seems not to be recommended.

This feature is what we've longly waited for. I want to use it, but the restriction disturbs.

Unfortuantly this is really need to preserve the transport security, in one case (http access to saleforce, https access to 3rd party) it silient downgrades the transport protection for the last return hop, and in the reverse case, potentially confidential data that is protected by ssl between the browser and salesforce is downgraded and sent over a plain http connection to the 3rd party, that's why these mismatches are explicitly disallowed.

You're right. Under some situation end-to-end security is really necessary in order to prevent leakage of sensitive data. But on the other hand there are situations where it is not so. We can find prenty of non-sensitive (light weight) web services in the internet. In fact, how many web sites are providing their RSS feeds via SSL? Not so many. If we prevent all non-secure request we lose opportunities to integrate these light weight web service resources.

I think SFDC should provide an option which enables users to select seculity level of the remote site request.

Put it on the idea exchange.
Ron HessRon Hess
here is a WO (work around)

your scontrol is in an iframe, so only that frame's window should need to be set to http
in the onload() i call init()

function init() {
 var l = window.location;
 if ( l.protocol == 'https:' ) {
  l.href = l.href.replace(/https/,'http');

now, my scontrol can call out to RSS feeds and consume them.
i'm not a security expert, so please consult your nearest expert on how safe this is.


Hi, i used this code and i found it works. But... the "Endpoint protocol mismatch" error is produced because the program doesn't wait until the page refreshing.

So please, does anybody have a solution to this problem???