The Surprising Mixed Content Handling on SSL/HTTPS Enabled Websites

Oh Dear monitors your entire site, not just the homepage. We crawl and search for broken pages and mixed content, send alerts when your site is down and notify you on expiring SSL certificates.

Start your free 10 day trial! »

Profile image of Mattias Geniar

Mattias Geniar, December 23, 2014

Follow me on Twitter as @mattiasgeniar

I already mentioned mixed content warnings as one of the more difficult reasons to switch on HTTPs, but what I didn’t realise up until now is how browsers handle media types differently in mixed content scenarios.

Mixed Content warnings occur when you include HTTP-content in an HTTPS-enabled website. This isn’t the same in every browser. Multiple browsers handle this is in different ways. Internet Explorer had mixed content warnings as early as IE5 whereas Safari still allows mixed content up until today as tested in Safari 8.0.2. Safari, the default browser on Mac OSX, doesn’t block Mixed Content. It shows a warning, in a well-hidden javascript developer console that you have to enabled in Advanced settings, but it still allows it.

safar_mixed_content

Modern, more secure browsers, correctly block these requests.

chrome_blocked_mixed_content

So clearly, “Mixed Content warnings” is a concept that isn’t widely respected.

But even in browsers that do support it, there is a difference between active and passive resources. Any browser that has a notion of Mixed Content will block active resources such as JavaScript. But the passive resources, such as images, CSS, … vary widely.

For instance, why would images be allowed, but CSS is blocked in a Mixed Content scenario? Why doesn’t every browser handle XMLHttpRequest the same way when it comes to Mixed Content? You can test your current browsers’ support for Mixed Content handling at Qualys SSL Client Labs.

Women Browsers: can’t live with them, can’t live without them.

Update 24/12/2014: it seems they’re working on an W3C Spec to fix this.

Awesome work!



Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.