Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to force loading dynamic, insecure content in Chrome?

Tags:

javascript

google-chrome

https

I'm using Jira in https and I have some adjustments I'd like to make with some extra JS. My JS is hosted on an insecure server (no https available).

When I dynamically load the insecure JS file by inserting it into the DOM (using a browser extension), Chrome tells me:

[blocked] The page at https://jiraserver/browse ran insecure content from http://myserver/jira.js.

I can see how this is very secure and all, but I don't care. I want to load that insecure JS file. How can I tell Chrome to trust me and just do what I say?

My insertion method (in the extension code):

document.body.appendChild((function(s){s.src='http://myserver/jira.js';return s;})(document.createElement('script')));
like image 781
Rudie Avatar asked Dec 27 '12 17:12

Rudie

3 Answers

According to this Chrome Support Q&A you can launch your Chrome with the following command line flag to prevent Chrome from checking for insecure content:

--allow-running-insecure-content

Here is some documentation on how to run Chrome with command flags

like image 131
ariera Avatar answered Nov 19 '22 01:11

ariera

Chrome simply will not load an insecure script in a secure page.

Does your jira.js have to be loaded from a server? The best way to inject it into the page would be by including it in your extension bundle.

var s = document.createElement('script');
s.src = chrome.extension.getURL("jira.js");
s.onload = function() {
    this.parentNode.removeChild(this);
};
(document.head||document.documentElement).appendChild(s);

If you must load it from a server, I suppose your extension could make a XHR request for the script, then inject the response into the page.

// make a XHR request, then...
var s = document.createElement('script');
s.textContent = codeFromXHR;
(document.head||document.documentElement).appendChild(s);
s.parentNode.removeChild(s);
like image 29
josh3736 Avatar answered Nov 19 '22 01:11

josh3736

I had the same problem: Our client link a CSS file and js file hosted in our server on a domain which is not secure.

We will solve it by using Amazon CloudFront. They server HTTPS using their certificates which is verified.

That's not a bad solution for use since CDN is often a good idea and these resources are somewhat static. (The CSS file is tailored for each client and is in fact generated but a sane TTL can be configured and the CDN flushed if required)

Note that the CDN solution may even be more affordable than actually buying a certificate depending on your data load.

like image 1
programaths Avatar answered Nov 19 '22 01:11

programaths
Sign in to Comment

Related questions

Zoom image to cursor breaks when mouse is moved
Android AdMob memory usage
INotifyPropertyChanged and static properties
Notepad++ hover preview on link or color?
How to create static binary which runs on every distro?
Can you override interface methods with different, but "compatible", signatures?
Configuring Flask-SQLAlchemy to use multiple databases with Flask-Restless
Gradle multiproject gives "Could not find property 'sourceSets' on project" error
RESTful API endpoint for adding/removing array elements?
Android Contacts provider get only phone contacts with all emails
How to carry on executing Future sequence despite failure?
is there a way to pass nested initializer lists in C++11 to construct a 2D matrix?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!