Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Allow loading HTTP resources over HTTPS

Suppose my website is over HTTPS and I need to load a CSS or Object resource from HTTP, how can I do this?

Please note that I'm able to add Content-Security-Policy to the response headers over the HTTPS websites but I don't exactly know how can I do this. Can someone give me a solution?

like image 991
Afshin Mehrabani Avatar asked Feb 14 '15 16:02

Afshin Mehrabani


People also ask

Can I force HTTP instead of HTTPS?

This is impossible, because the host decides which requests it accepts. Google and Facebook are both HTTPS-only. Using HTTP will just get you a redirect to HTTPS.

Was loaded over HTTPS but requested an insecure resource?

You are trying to access via "http" on a "https" site, its best to use "https" content. You shouldn't access insecure data on a secure channel. Sometimes just use 'http' instead of 'https' can solve this issue.

How do I allow certain content only on https sites?

One of these wider rules allows certain content only on HTTPS sites and not on HTTP sites. Here is how you'd configure Chrome to do just that. Open chrome://settings/content in the browser to display the available content settings. Locate JavaScript on the page and click on it to display the available options.

What happens when an HTTPS page is loaded over HTTP?

This happens when an HTTPS site loads something like an image or audio file which is served over HTTP that is included in an HTTPS webpage, this type of content cannot alter other portions of the webpage. However, it’s still a bad security practice that could cause problems.

Will https HTTPS pages be able to load on Chrome?

In a blog post, the Chrome security team said https:// pages will only be able to load secure (https://) subresources. The change won't happen overnight, but in a series of gradual steps. According to Google, Chrome users now spend over 90 percent of their browsing time on HTTPS on all major platforms.

How do I use HTTPS URLs with HTTP resources?

You need to only use https:// URLs when loading resources on your page. For each URL that loads HTTP resources, update the link references to point to the HTTPS counterparts. In some cases, you may find that the resources in question are not available over HTTPS, in which case seek to do one of the following:


1 Answers

There is no solution. Modern browsers will deny using non-https resources into pages served by https because you effectively undermine the security model of https this way. CSP will not help because it does not fix the issue. Your only choice is to either serve the site by http or to proxy includes from external non-https sites by your own site. But note that the latter option might affect the security model too, because now these external resources are seen as originating by the same domain as your own content and thus could misuse the same origin policy.

like image 86
Steffen Ullrich Avatar answered Oct 09 '22 11:10

Steffen Ullrich