No mixed content


Chrome trying to prevent loading unsecured resources

Do not mix content from secure and unsecured location, it’s the same as mixing beer and vodka and hoping for the best. Whether you use HTTPS and include all resources from secure location or stay on HTTP.

Think of this as using HTTPS on all web pages on your domain and then including third-party JavaScript library from unsecured location, this cancel the statement that the site is secured.

Modern web browsers are very well trained to warn you when web page is trying to load something from unsecured location. The scripts and style sheets are blocked by default, but images and other passive content are allowed to load with appropriate warnings.

Very often, you can’t precisely identify in web browser console, whether web page is loading unsecured content or not (for example: JavaScript is trying to load unsecured resource on some event) or you have hundreds of web pages and it’s not feasible to go one by one and search for mixed content.

That’s why I’ve created tool: nomixedcontent to crawl web pages on specific domain and list all mixed content issues.

The tool is a Python script which recursively scan web pages for predefined depth level and trying to identify resources that loaded through HTTP protocol. The following HTML elements are checked for mixed content:

<img><iframe><script><object><form>, , <video><audio><source><link><style>




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s