Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do Optimizely trick chrome to no prompt for loading insecure content

In one of the latest chrome updates , the chrome team added the "load anyway" message that prompts a user to approve loading insecure content on secure pages , somehow optimizely have found a way to "trick" chrome not to ask for that question and simply load the content with the yellow warning key , e.g. : https://www.optimizely.com/edit#url=http://www.yahoo.com/

I can't seem to understand how they did it... does anyone understand ?

Thanks

like image 634
Amnon Avatar asked Aug 06 '12 16:08

Amnon


2 Answers

It looks like they do it after page load. The initial page served only includes an innocuous <iframe></iframe> - no insecure content loaded yet. Javascript does the actual loading of the iframe.

I did some testing and I can't get any message to appear on Chromium 18 (Linux). However, on my test page, the security icon starts green on page load, then turns yellow when the insecure content is loaded to the iframe. The exact same happens on Optimizely. So my best guess is that this method will avoid the "Load Anyway" message while letting you load insecure content.

Don't count on that though - if this is a new Chrome feature, it's likely they'll figure out this trick as well and fix it later. ;)

like image 112
kitti Avatar answered Oct 28 '22 14:10

kitti


They don't seem to get around it on Chrome: They ask the user to enable it as per this screenshot: enter image description here

like image 37
David d C e Freitas Avatar answered Oct 28 '22 15:10

David d C e Freitas