When setting up a site to run over https:// is there a way to stop the page from blocking any external css or javascript loaded from standard http://.
Some of the external files are under the same domain, so could be called via https://, but some are from another domain that has no secure connection available.
When setting up a site to run over https:// is there a way to stop the page from blocking any external css or javascript loaded from standard http://.
Some of the external files are under the same domain, so could be called via https://, but some are from another domain that has no secure connection available.
- 1 Just make sure everything is over SSL. There is a reason it would not load or at least warn the user you know. – PeeHaa Commented Jan 14, 2013 at 11:21
2 Answers
Reset to default 6There shouldn't be. Such security measures are in place for good reason.
Even if you could remove them, doing so would be a very bad idea.
A man-in-the-middle attack would allow the JS or CSS (which can have embedded JS via various browser extensions) to be substituted.
This would allow an attacker to run any JS they liked on the page.
That JS could grab any data from the page and send it to the attacker.
The page would not be secure.
Copy the assets somewhere that you can access them over HTTPS.
You can rewrite your links without using scheme (like "//example./styles/mystyle.css").
See this questions for details
In case some external content is unavailable via HTTPS, you can make a HTTPS proxy on your server (with some sort of caching and ACL if you like).