Menu
Suppose my website is over HTTPS and I need to load a CSS or Object resource from HTTP, how can I do this?
Please note that I'm able to add Content-Security-Policy to the response headers over the HTTPS websites but I don't exactly know how can I do this. Can someone give me a solution?
991
This is impossible, because the host decides which requests it accepts. Google and Facebook are both HTTPS-only. Using HTTP will just get you a redirect to HTTPS.
You are trying to access via "http" on a "https" site, its best to use "https" content. You shouldn't access insecure data on a secure channel. Sometimes just use 'http' instead of 'https' can solve this issue.
One of these wider rules allows certain content only on HTTPS sites and not on HTTP sites. Here is how you'd configure Chrome to do just that. Open chrome://settings/content in the browser to display the available content settings. Locate JavaScript on the page and click on it to display the available options.
This happens when an HTTPS site loads something like an image or audio file which is served over HTTP that is included in an HTTPS webpage, this type of content cannot alter other portions of the webpage. However, it’s still a bad security practice that could cause problems.
In a blog post, the Chrome security team said https:// pages will only be able to load secure (https://) subresources. The change won't happen overnight, but in a series of gradual steps. According to Google, Chrome users now spend over 90 percent of their browsing time on HTTPS on all major platforms.
You need to only use https:// URLs when loading resources on your page. For each URL that loads HTTP resources, update the link references to point to the HTTPS counterparts. In some cases, you may find that the resources in question are not available over HTTPS, in which case seek to do one of the following:
There is no solution. Modern browsers will deny using non-https resources into pages served by https because you effectively undermine the security model of https this way. CSP will not help because it does not fix the issue. Your only choice is to either serve the site by http or to proxy includes from external non-https sites by your own site. But note that the latter option might affect the security model too, because now these external resources are seen as originating by the same domain as your own content and thus could misuse the same origin policy.
86
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
