HTTPS Mixed content parsing

What is HTTPS mixed content

We may have this experience, when we visit a website through HTTPS, suddenly prompted: "This page contains unsafe content." This time will ask whether to show "unsafe content", this time, is met with mixed content of the page.

The page under HTTPS is rarely a single connection, with HTML tags, images, JS scripts, and other page resources that are not only available for multiple connections, but may even be from completely different servers and websites. In order to ensure that a page is properly encrypted, it is necessary for all page resources to go through HTTPS. However, in the actual situation, all resources are used HTTPS but not common, this is the mixed content (mixed) security problems.

Reasons to generate mixed content programmer

Some programmers are still based on the programming habits under HTTP, causing the code to be less rigorous. The most common is to access resources on the site in an absolute path, which may be correct in HTTP mode, but once these pages require HTTPS, these elements are likely to be called through HTTP and produce an error.

Mashup

With the development of mashups, Web sites are no longer providing the full content themselves, they mix content from other sites, and the source of the content is hidden. Mashups are very useful to developers, but they also make our https unpredictable.

Mashups are mainly implemented by loading third-party JavaScript code in the page, in the context of HTTPS encryption, often appear third-party content and services do not support HTTPS encryption, a few years ago, Baidu and Goolge many services also do not support HTTPS, the last 2, 3 years, only started to support the full network SSL, but some small service providers still can not do all support HTTPS.

Cdn

CDN in the global establishment of a large number of servers, can be through the user access to IP address judgment, select the best network access location, to provide users with a large number of (mainly static) data files. Typically, a CDN is more expensive to support users accessing content over HTTPS because CDNs typically use bDNS's domain name resolution technology, which assigns different host names to different distribution sites across the globe, so we often have to use the wildcard wildcard certificate. Even wildcard San certificates are supported, and because SNI compatibility is not perfect, each distribution point should preferably be specific to its own independent IP address, which also leads to increased complexity and cost of operations.

Impact of mixed content

The impact of mixed content is primarily determined by the nature of the content that is not encrypted, and there are two main types of content at present:
Mixed Passive content (Mixed passive contents), mixed active content (Mixed active conttent). The former is also called mixed displays (Mixed display), they are low-risk content, and the latter is also called hybrid scripts (Mixed Scripting), which are high-risk content, common with JavaScript scripts.

Mixed Active content is the real source of the threat . A reference to an unencrypted JavaScript file may be hijacked by an active attacker and used to obtain full control of the page, and the victim's identity has been applied to perform arbitrary actions on the site. This is also true for other dangerous resource types, including HTML (framework), CSS, Flash, and Java applications.

Mixed passive content, while not so dangerous, still destroys the integrity of the page. In some cases, an attacker could manipulate a victim by inserting information into a picture, which could lead to a phishing attack.

Browser Processing for Android browser

Android's browser has no restrictions on mixed content.

Chrome

Starting with version 38, chrome blocks all mixed-active content.

Firefox

Firefox has been able to detect and warn mixed content long before, but until version 23, all of the mixed active content has been blocked.

Ie

IE supports the detection of mixed content starting with IE5 (1999), which prompts the user to decide what to do when IE detects the presence of encrypted and plaintext content on the same page. But it was only after the IE9 that the mixed active content was blocked and the tacit approach to the mixed passive content began.

Safri

Safri does not currently block any mixed content, which is a big difference compared to other browsers.

	Images	Css	Scripts	Xhr	Websockets	Frames
Android Brower 4.4	Y	Y	Y	Y	Y	Y
Chrome 41	Y	N	N	N	N	N
Firefox 30	Y	N	N	N	N	N
IE 11	Y	N	N	N	N	N
Safari	Y	Y	Y	Y	Y	Y

Find mixed content

To find out if there are mixed content on a webpage, we recommend using Chrome's developer tools:

Visit the need to test Web pages, then open, developer Tools, select "Security"-"Non-secure Origin", you can see mixed Content:

Workaround Check Code

New web site development, in the building test environment, it is recommended to deploy HTTPS directly in the test environment, to ensure that the site in the test can be timely detection of mixed content issues, and timely correction.

Programmers can use the following methods when they develop code:

• Local images and scripts are called directly through the HTTP display. You can retrieve all the elements that are called by http://absolute path instead of the local relative path.
• Visited some pictures and scripts of the extranet. For example, a website www.domain.com, put the picture in another site img.domain.com, the script to access the js.domain.com, please deploy HTTPS at each site, and then the original http://To refer to//reference method. For example: The original code Modified to . When adjusted, the browser automatically chooses HTTP or HTTPS to access the extranet resources.
• If you need to use a third-party system to provide application services, please seek support for HTTPS service providers, Baidu and Google have now supported the whole network HTTPS, and the formal application services, will start to support HTTPS.

HTST

HTST is a mechanism that enforces the browser's access to secure resources, even in the face of user errors (such as user access to your site with 80 ports) and implementation errors (the site developer adds an unsafe element to the HTTPS page). This feature effectively eliminates the problem of mixed content, but only works under the domain name you can control.

HTST requires a 301 jump approach, just a brief introduction to IIS:

First Configure 1 HTTP sites on the site, and an HTTPS Web site, select HTTP redirection:

The status code is set to: Persistent (301). Redirect to the same domain name on the HTTPS site.

For more details on the use of HTST, we will send you a separate article.

Csp

In order to block unsafe resources obtained from third-party Web sites, you can use the Secure Content policy (contents security POLICY,CSP). This security feature can block unsafe resources. It also has many other useful features to handle application-level security issues.

Fyi:https://www.myssl.cn/home/article-56.html

HTTPS Mixed content parsing