Skip to main content
Information Security

Questions tagged [mixed-content]

Ask Question

Browsers warn for mixed content when some resources (e.g. images, scripts or forms) on an HTTPS site is loaded over or posted to HTTP.

20 questions
Newest Active Bountied Unanswered
0 votes
0 answers
55 views

Issues consuming HTTP FastAPI from HTTPS-embedded widget (frontend fetch)

How can I make a frontend widget on HTTPS communicate with an HTTP FastAPI backend without CORS or mixed content issues? I'm building a chatbot widget that's embedded into a website served over HTTPS. ...
Angel Panda's user avatar
Angel Panda
  • 1
6 votes
1 answer
969 views

If I'm using HSTS, can I skip the scheme from my CSP directives?

For various reasons, I need to shrink my CSP header a bit without degrading its effectiveness. I'm able to save some bytes by wildcarding some subdomains, but I'm also tempted to strip out all ...
Tom Wright's user avatar
Tom Wright
  • 163
1 vote
1 answer
274 views

Shoul I consider <a href></a> as dangerous mixed passive content?

From mozilla Mixed passive/display content is content served over HTTP that is included in an HTTPS webpage, but that cannot alter other portions of the webpage. For example, an attacker could ...
Maicake's user avatar
Maicake
  • 597
2 votes
0 answers
164 views

Is the HTTPS lock sign displayed if reasources are loaded from insecure sites?

We all know that if you visit a secure site which uses https, all modern browsers will show a padlock sign if it has a CA certified certificate. My questions are: Suppose there is an image loaded in ...
SRaj's user avatar
SRaj
  • 155
-1 votes
2 answers
507 views

is passive mixed content actually exploitable?

i see everywhere posts of people saying mixed content like images could lead to an attacker replacing the images beeing loaded from http to https, however i couldn't exploit this after hours testing ...
Tomi Begher's user avatar
Tomi Begher
  • 131
2 votes
2 answers
232 views

How do I let users point to their own images, yet avoid Mixed Content warnings?

I allow users of my webapp to provide a URL for their own images. They can also provide CSS which may contain URLs to images. If these URLs are HTTP then the browser does not show the padlock in the ...
Joshua Fox's user avatar
Joshua Fox
  • 279
2 votes
4 answers
5k views

Should I be concerned about Wayback Machine trying to load scripts from unauthenticated sources?

I regularly use Wayback Machine to help find archived versions of webpages that have been taken down or are other otherwise unavailable. While using the site, I noticed a peculiar warning in Google ...
Stevoisiak's user avatar
Stevoisiak
  • 1,545
10 votes
1 answer
6k views

What's the difference between frame-ancestors and child-src?

Both options seem to control who can embed the content in an <iframe> tag, just like X-Frame-Options does. Chrome and Safari are deprecating this header (partially, allow-from for instance), so ...
user avatar
user15194
5 votes
2 answers
373 views

Is it safe to submit personal information over a website with a gray (not green) https?

I am required to submit personal information as part of a form. I looked under developer tools and found this:[![screenshot of item displayed in developer tools][1]][1] Mixed Content: The page at ...
Sid's user avatar
Sid
  • 53
0 votes
1 answer
120 views

Which HTTPS certificate is the content verified by if the content comes from multiple servers?

If a webserver has an HTTPS certificate and a page on the server pulls resources from other webservers - maybe a CDN with a protocoless path, or not, for things like static images, stylesheets, and ...
leeand00's user avatar
leeand00
  • 1,601
4 votes
1 answer
957 views

OneDrive marked unsafe by Google Chrome due to unsafe scripts

The OneDrive user's drive page asks to load the following script (which is typically blocked by Chrome to be unsafe) <html> <head> <title>Bing</title> </head> <...
Paras's user avatar
Paras
  • 143
5 votes
1 answer
15k views

Mixed Content error in IE11 - HTTPS resource on HTTP page

I have an HTTP webpage with a piece of JavaScript that adds an iframe to the page. The iframe is pointing to an HTTPS page. In the IE11 developer console, this error appears: SEC7111: HTTPS ...
Ben Amada's user avatar
Ben Amada
  • 151
4 votes
3 answers
7k views

Why did I see an insecure browser warning on a page with HTTP links?

I noticed that a particular page that is served over HTTPS gets an insecure content warning in both Chrome and Firefox. This seems to be because the page has an anchor with an href property pointing ...
Joon's user avatar
Joon
  • 151
2 votes
1 answer
3k views

What benefit does the IE setting "Block unsecured images with other mixed content" provide?

Internet Explorer has the security setting shown in below screen shot. My understanding is that "unsecured images" are images that are not transmitted over HTTPS. What I am curious about is why does ...
user avatar
user63673
0 votes
1 answer
13k views

Mixed content - stylesheet being blocked because of a querystring parameter?

I've just run into a scenario where a stylesheet was being blocked on a secure payment page. The stylesheet was loaded like so: <link href="/CSS/all.min.css?v=2" rel="stylesheet" type="text/css" ...
DGibbs's user avatar
DGibbs
  • 103

15 30 50 per page
1
2