How to serve static content without https in a secure site?
Internet Explorer and I think some other browsers will warn a user when the assets for a site using the https
protocol are served from http
. The first best solution is to allow your static asset server to serve secure content and have your site use a consistent protocol. The second best solution is going to be to create a page on your secure site that is a proxy, basically you need to create a dynamic page that calls the external page or asset, and returns it through that proxy. How that page is written depends on what dynamic programming language is available to you on the secure server.
Basically IE has a legitimate security issue with mixing protocols. It knows it can trust the https
server, but does not trust the http
one.
Related videos on Youtube
Comments
-
licorna over 1 year
I want to serve static content from my site but my site is https-only. My static http server only serve http content (non https) but many IE users are complaining about being unable to log into.
What do I need to do? Should I add https to my static-content http server?
-
nedruod almost 14 yearsOther browsers degrade in less noisy fashions for mixed content, often modifying the behavior of the 'padlock' icon that only half of the Internet population pays attention to. I agree that IE is doing 'the right thing (TM)' by throwing an obvious warning. It is correct, some elements were sent securely, some were not.
-
Metalshark almost 14 yearsThe sooner there is native support to block cookies to HTTP when using HTTPS the sooner this message can disappear and stop causing problems. Its not like the additional HTTP headers are even wanted for the static content that is served away from the HTTPS page.
-
Bruno about 12 years@Metalshark: it's far more than about cookies. When you look at an HTTPS page, you want to be able to trust everything it says. Someone could forge an image and replace what it shows/says, for example. You also want to link to trusted, non-altered scripts.