No mixed content

mixed_content

Chrome trying to prevent loading unsecured resources

Do not mix content from secure and unsecured location, it’s the same as mixing beer and vodka and hoping for the best. Whether you use HTTPS and include all resources from secure location or stay on HTTP.

Think of this as using HTTPS on all web pages on your domain and then including third-party JavaScript library from unsecured location, this cancel the statement that the site is secured.

Modern web browsers are very well trained to warn you when web page is trying to load something from unsecured location. The scripts and style sheets are blocked by default, but images and other passive content are allowed to load with appropriate warnings.

Very often, you can’t precisely identify in web browser console, whether web page is loading unsecured content or not (for example: JavaScript is trying to load unsecured resource on some event) or you have hundreds of web pages and it’s not feasible to go one by one and search for mixed content.

That’s why I’ve created tool: nomixedcontent to crawl web pages on specific domain and list all mixed content issues.

The tool is a Python script which recursively scan web pages for predefined depth level and trying to identify resources that loaded through HTTP protocol. The following HTML elements are checked for mixed content:

<img><iframe><script><object><form>, , <video><audio><source><link><style>

no_mixed_content_tool

Enjoy!