How to display non-SSL images on HTTPS connection?

Question

On my https web site, how can I display images from a web site without a certificate?

I own the example domain of:

• http://www.example.com
• http://static.example.com (used for my CDN)

I own a certificate for www.example.com but not for static.example.com.

On my www.example.com domain, you can register for the service over SSL using httpS://www.example.com

On the registration form (www.), I want to display images from my CDN which is on http://static.example.com but don't own a certificate for that subdomain.

On the https://www.example.com registration form - I'm using AJAX to dynamically pull over the image from http://static.example.com. It seems that the web browser does not display non-SSL images at all when using AJAX. However, if that image were located on the httpS://www.example.com domain (the same as the registration form), the image will display via AJAX.

For architecture & design reasons, I would like to keep those images on my CDN (static.example.com) without having to purchase a certificate.

Does anyone know how I can display these images via AJAX from my non-SSL subdomain on my httpS://www.example domain?

Thanks in advance.

Answer 1

you can make your own ssl proxy.

Run all the images through this script. Just make a file and put this PHP code inside. Use curl or file_get_contents to echo out the content.

So if you want to call the secure image, you call it like this:

https://mysecureserver.com/path_to_this_script/?url=[base64 encoded image link]

<?php   
  $strFile = base64_decode(@$_GET['url']);
  $strFileExt = end(explode('.' , $strFile));
  if($strFileExt == 'jpg' or $strFileExt == 'jpeg'){
    header('Content-Type: image/jpeg');
  }elseif($strFileExt == 'png'){
    header('Content-Type: image/png');
  }elseif($strFileExt == 'gif'){
    header('Content-Type: image/gif');
  }else{
    die('not supported');
  }
  if($strFile != ''){
    $cache_ends = 60*60*24*365;
    header("Pragma: public");
    header("Cache-Control: maxage=". $cache_ends);
    header('Expires: ' . gmdate('D, d M Y H:i:s', time() + $cache_ends).' GMT');

    //... [and get the content using curl or file_get_contents and echo it out ]

  }
  exit;
?>

Answer 2

There is no way to do this without a certificate for static.example.com that will not trigger a security warning or prompt in some browsers (particularly Internet Explorer).

GoDaddy sells SSL certificates for $30ish. I'd say spring for the little bit of cash.