The Surprising Mixed Content Handling on SSL/HTTPS Enabled Websites

Mattias Geniar, Tuesday, December 23, 2014 - last modified: Wednesday, December 24, 2014

I already mentioned mixed content warnings as one of the more difficult reasons to switch on HTTPs, but what I didn't realise up until now is how browsers handle media types differently in mixed content scenarios.

Mixed Content warnings occur when you include HTTP-content in an HTTPS-enabled website. This isn't the same in every browser. Multiple browsers handle this is in different ways. Internet Explorer had mixed content warnings as early as IE5 whereas Safari still allows mixed content up until today as tested in Safari 8.0.2. Safari, the default browser on Mac OSX, doesn't block Mixed Content. It shows a warning, in a well-hidden javascript developer console that you have to enabled in Advanced settings, but it still allows it.


Modern, more secure browsers, correctly block these requests.


So clearly, "Mixed Content warnings" is a concept that isn't widely respected.

But even in browsers that do support it, there is a difference between active and passive resources. Any browser that has a notion of Mixed Content will block active resources such as JavaScript. But the passive resources, such as images, CSS, ... vary widely.

For instance, why would images be allowed, but CSS is blocked in a Mixed Content scenario? Why doesn't every browser handle XMLHttpRequest the same way when it comes to Mixed Content? You can test your current browsers' support for Mixed Content handling at Qualys SSL Client Labs.

Women Browsers: can't live with them, can't live without them.

Update 24/12/2014: it seems they're working on an W3C Spec to fix this.

Awesome work!

Hi! My name is Mattias Geniar. I'm a Support Manager at Nucleus Hosting in Belgium, a general web geek & public speaker. Currently working on DNS Spy & Oh Dear!. Follow me on Twitter as @mattiasgeniar.

Share this post

Did you like this post? Will you help me share it on social media? Thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *