Got SSL, now all requested files are blocked (mixed content)

Question

I have clients who use HTML on their pages, that I provide. That HTML links to files on my server (JS, CSS, images, etc).

Example of what I give them:
<link type="text/css" rel="stylesheet" href="http://www.example.org/this.css" />

I just got an SSL, so my site is now https. However the HTML on their server, that I gave them, is still http when requesting files from my server.

Because of this, they are getting mixed content warnings and the content is blocked. Like this:

Mixed Content: The page at 'https://www.example.org/' was loaded over HTTPS, but requested an insecure stylesheet 'http://www.example.org/file.css'. This request has been blocked; the content must be served over HTTPS.

I can't have all of my clients change all of their links on all of their pages to "https" so that warning/blockage is prevented. That would be a nightmare.

My host is GoDaddy. My server is a Windows server, IIS: 7.0, ASP.Net Runtime Version: 4.0/4.5.

How can I resolve this on my end through web.config? My current rules are:

<configuration>
<system.webServer>
    <rewrite>
        <rules>
            <rule name="HTTP to HTTPS redirect" stopProcessing="true">
                <match url="(.*)" />
                <conditions>
                    <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                </conditions>
                <action type="Redirect" redirectType="Permanent" url="https://{HTTP_HOST}/{R:1}" />
            </rule>
        </rules>
    </rewrite>
</system.webServer>

What I want to happen is have all outside http requests to my https server, to be allowed.

Thanks!

Answer 1

You can serve the site with a Content-Security-Policy: upgrade-insecure-requests header.

The upgrade-insecure-requests CSP directive can also be specified using a meta element:

<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">

The HTTP Content-Security-Policy (CSP) upgrade-insecure-requests directive instructs user agents to treat all of a site's insecure URLs (those served over HTTP) as though they have been replaced with secure URLs (those served over HTTPS). This directive is intended for web sites with large numbers of insecure legacy URLs that need to be rewritten.

The upgrade-insecure-requests directive is supported in all current browsers.

---

Incidentally, the “The page at 'https://www.example.org/' was loaded over HTTPS, but requested an insecure stylesheet 'http://www.example.org/file.css'” message is not one that anybody would get by just having a <link…href="http://www.example.org/this.css" /> element in the HTML for their own site. The only way they would get that message is if they navigated directly to https://www.example.org/.