Mixed active content


#1

sometimes when I am on this site my firefox shows the lock with a gray triangle, that means it blocked active mixed content (javascript over plain HTTP).
can you check what’s going on?


#2

Never saw it. Perhaps a plugin or extension in your browser?


#3

upon refresh it usually works again, this really happens rarely, I only saw it 2 times yet…


#4

Maybe it is not mixed connetent but missing ocsp response ?
If you have firefox can you check with F12 or CRTL+ALT+J if there is any security warning ?
bout:config

  • security.mixed_content.block_display_content
  • security.mixed_content.block_active_content
  • security.warn_viewing_mixed.show_once
  • security.warn_viewing_mixed
    Could be also interesting.

#5

FIrefox blocked unsafe content is what it says here.

the problem is that this thing appears rarely and upon refresh, it’s gone, so I cant see any security warnings because it doesnt show stuff that happened before opening it.


#6

I found it.

the misused certs thread has a link that gets embedded as the whole page (which i personally dont really like, but I already did a thread on iframing) and that one probably has a http js that gets blocked.

with all the ajax even when changine pages the warning doesnt this appear, annoying stuff to debug…

so just disable this stupid embedding!
onebox, okay but dont iframe whole pages!


#7

update: the onboxes also tend to create mixed passive content (like images) e.g. from amazon links. this REALLY should not be done on an official CA support page…


#8

I don’t get the problem… Images from posts are mirrored locally and consequently served through HTTPS. I’ve never seen a mixed content warning and by the lack of other users posting and complaining in this topic, you seem to be the only one?


#9

not an image from a post but from a onebox.
and it gets worse when in some cases when the whole site is included then I even get an “active content blocked” message.


#10

Can you please provide the link to an sample so that we can check it ?


#11

mixed passive content is right in our private conversation where you posted an amazon link the onebox has an HTTP image in it.


#12

So here is an sample:

@Osiris as you can see in the image there is an http:// used and this is mixed content.


#13

and as I said in the misused certificates thread ( Misused certificates ) there is right at the first post a whole page iframed and that has an HTTP javascript which obviously from the mixed active flag.


#14

Well, that’s just plain stupid by the poster of that URL… If you use https://, nothing would be wrong. :stuck_out_tongue:

Furthermore, the only other option would be the disabling of previewing content altogether… So yes, perhaps sometimes you won’t get the green lock icon… I don’t see why this should be such a very big deal.


#15

yeah this disabliing of iframing whole pages would be nice. also I tried to call that page over HTTPS but it somehow just downgraded the connection to HTTP. is that even possible?


#16

The site from the misued cert thread indeed downgrades to HTTP… And yes, why shouldn’t this be possible? If you can redirect a non-HTTPS to HTTPS, why wouldn’t you be able to do the same the other way around?

My remark was for Amazon, they do HTTPS finely.


#17

well except for that image in the onebox.
well I thought there are downgrade protections everywhere and I see no reason to downgrade, I mean if you go through the trouble of getting a cert in the first place then use it.


#18

i personally would vote for disabling previewing content at all.

  1. For privacy issues. So no other side can track users.
  2. Security issues. For example exploits via manipulated images/videos etc.
  3. Not each side has an https available to no all links can use https.

#19

well I am for server-side oneboxing (onebox is that box which contains a part of the text of the page) but without images.


#20

The obvious solution would be using a Content-Security-Policy header on this site.

The loosest CSP rule to ensure everything on the site’s pages only come from https:// sources (and with blocked mixed content being relegated from the browser UI to the browser console) would be:

Content-Security-Policy: default-src https:; script-src https: 'unsafe-inline' 'unsafe-eval'; style-src https: 'unsafe-inline';

Obviously a more thorough Content-Security-Policy would be more secure as it would tell browsers to only load content from where the site admin(s) know the content is located, but a simple CSP telling browsers to block content that shouldn’t be on a https:// page in the first place shouldn’t do any harm.