Types of mixed content error:
Generally, there are two types of mixed content errors: mixed scripting and mixed passive content. A mixed scripting error occurs when the HTTPS site runs a script file over HTTP site. It damages the security of the website. Browsers do not pass such type of content and block it. The second type of mixed passive content error happens, when the HTTPS site runs audio or image file over HTTP site. Such type of content is not a risk for website security and browsers do not count such error as strictly. Still, it is an unsecured practice for SSL secured website.
How does this impact website security?
Hackers can perform Man-in-the-middle attack and change data in transit and compromise the website as a result, the website will have loss of privacy and users’ data. Attackers can perform a DNS spoofing attack on such modified resources. Even users face warning about secure and non-secure content which is an unfriendly experience for users and drives away visitors of the website.
How to find nonsecure elements on the website?
How to fix mixed content error?
There are few ways through which a website owner can fix the mixed content error and provides a smooth and secure experience for users.
Disable error on Chrome:
In Chrome, Google has introduced “Upgrade Insecure Requests” that treats the HTTP request as HTTPS and gets users rid of the mixed content error. It allows developers to update legacy content via HTTPS easily and they can offer better security to users.If you have no direct control over web server, then the owners have just to add a single line code shown below:
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
Disable error on Firefox:
For Firefox, Firefox has started to block mixed content since the arrival of version 23. Website owners have to serve all the content over HTTPS by changing in HTML source code.
Open the insecure page that serves image, iframes, flash and search for http://. Modify the reference to all unsecured items to HTTPS. For example,
<img src="https://www.domain.com/image.gif" alt="" />
If you are loading an image from a different website which has no SSL set up, then the command will not work.
Change all links to HTTPS:
There is no need to change all links to HTTPS, but you just put command like below
<img src="//www.domain.com/image.gif" alt="" />
By applying the code, the browser will load securely in the case when the web page is served securely. If the web page is not secured then the image will load in normal condition.
If the image or script is on the same domain, you can use the following command:
<img src="/image.gif" alt="" />
Changing Browser Setting:
You can change the code of the page that shows the error, however if you have no access to it then you can follow below steps.
- Browse Tools>> Internet Options.
- Under “Security” Tab, click the “Custom Level” button.
- Scroll down to the option: “Display mixed content” and choose “Enable”.
- Choose ‘Enable’ and click Ok button.
- There will be a “Security Warning” pop-up. Click Yes.
When visitors see the warning they usually react in two ways. Either they proceed by ignoring security warning that could be risky for them or they will pay attention to the security warning and move from the website that reduces the effectiveness of a website and sales too. Therefore, it is advisable to fix mixed content error on your website and allow a secure browsing to users and visitors.