Mixed active content


#8

I don’t get the problem… Images from posts are mirrored locally and consequently served through HTTPS. I’ve never seen a mixed content warning and by the lack of other users posting and complaining in this topic, you seem to be the only one?


#9

not an image from a post but from a onebox.
and it gets worse when in some cases when the whole site is included then I even get an “active content blocked” message.


#10

Can you please provide the link to an sample so that we can check it ?


#11

mixed passive content is right in our private conversation where you posted an amazon link the onebox has an HTTP image in it.


#12

So here is an sample:

@Osiris as you can see in the image there is an http:// used and this is mixed content.


#13

and as I said in the misused certificates thread ( Misused certificates ) there is right at the first post a whole page iframed and that has an HTTP javascript which obviously from the mixed active flag.


#14

Well, that’s just plain stupid by the poster of that URL… If you use https://, nothing would be wrong. :stuck_out_tongue:

Furthermore, the only other option would be the disabling of previewing content altogether… So yes, perhaps sometimes you won’t get the green lock icon… I don’t see why this should be such a very big deal.


#15

yeah this disabliing of iframing whole pages would be nice. also I tried to call that page over HTTPS but it somehow just downgraded the connection to HTTP. is that even possible?


#16

The site from the misued cert thread indeed downgrades to HTTP… And yes, why shouldn’t this be possible? If you can redirect a non-HTTPS to HTTPS, why wouldn’t you be able to do the same the other way around?

My remark was for Amazon, they do HTTPS finely.


#17

well except for that image in the onebox.
well I thought there are downgrade protections everywhere and I see no reason to downgrade, I mean if you go through the trouble of getting a cert in the first place then use it.


#18

i personally would vote for disabling previewing content at all.

  1. For privacy issues. So no other side can track users.
  2. Security issues. For example exploits via manipulated images/videos etc.
  3. Not each side has an https available to no all links can use https.

#19

well I am for server-side oneboxing (onebox is that box which contains a part of the text of the page) but without images.


#20

The obvious solution would be using a Content-Security-Policy header on this site.

The loosest CSP rule to ensure everything on the site’s pages only come from https:// sources (and with blocked mixed content being relegated from the browser UI to the browser console) would be:

Content-Security-Policy: default-src https:; script-src https: 'unsafe-inline' 'unsafe-eval'; style-src https: 'unsafe-inline';

Obviously a more thorough Content-Security-Policy would be more secure as it would tell browsers to only load content from where the site admin(s) know the content is located, but a simple CSP telling browsers to block content that shouldn’t be on a https:// page in the first place shouldn’t do any harm.


#21

[quote=“My1, post:17, topic:8523”]
well I thought there are downgrade protections everywhere and I see no reason to downgrade, I mean if you go through the trouble of getting a cert in the first place then use it.
[/quote]Transparent HTTPS —> HTTP redirect without any warnings indicates TLS server running on 443 port with publicly-trusted certificate and cipher suite overlap with common clients. Once a client sends application data (GET / HTTP/1.1), a server replies with 3xx redirect to HTTP location.

It’s very common. Visiting such sites is my daily routine.
When I need to share a site HTTP by default but supporting HTTPS with publicly-trusted cert, I share HTTPS link. If a site goes full HTTPS, links shared by me have already been HTTPS, good to be smart like that.

Yes, such redirects can result in frustration and despair. For example, instead of site you see 451 from your ISP or even IP-transit operator, so you try HTTPS. When you see 451 again without any trust warnings, it’s super-creepy. I have seen such happening with NSFW site about hamsters, shame on them.


#22

also the question is WHY even get HTTPS in the first place if you are going to downgrade? That’s plain stupid.

I mean you get a cert for more than enough money, setting up an HTTPS Server, closing vulnerabilities like POODLE if the get public etc and then you arent even going to use it.

that’s a whole new level of stupidity.


#23

That’s just Amazon being Amazon.

They currently refuse to serve those images with a valid HTTPS certificate, so there is nothing that Discourse can do about it.


#24

buut they can just NOT show the image.

and for the thing in the misused certs thread, how about not iframing whole sites.

I mean I cant find it anymore but one of LE said that this is the official means of support for LE. and for the means of support of a CA that wants to be browser trusted (and that currently is, as per cross-cert) it’s pretty shameful to try to embed non-secure ACTIVE content and what makes it worse, it’s external.

I mean the images are bad enough (as they usually throw a bigger warning than active content coz the browser blocks those initially) but browsers that dont have mixed content handling may get serious problems.


#25

To clarify, that wasn’t an iframe.
That was a bug dumping the whole contents of the page into the post.


#26

let’s look at the code:
<iframe width="600" height="338" frameborder="0" class="wp-embedded-content" scrolling="no" marginheight="0" marginwidth="0" title="Embedded WordPress Post" src="http://thenextweb.com/insider/2016/01/07/lets-encrypts-free-https-certificates-are-already-being-used-to-distribute-malware/embed/" security="restricted" sandbox="allow-scripts"></iframe>
and tell me where this is NOT an iframe?


#27

I think oneboxing is okay, but maybe only with HTTPS pics (or with none at all) and most importantly NO iframing of whole sites