Authorise mixed content tag?

Question

i have an issue with mixed-content (http/https) blocking.

I have three subdomains "a", "b" and "c". Only b is available over SSL.

I have a web application with the following frame structure:

• Navigate to http://a.example.com
• Page contains an iframe to another page on http://a.example.com
• iframe makes ajax request to https://b.example.com/
• iframe sets window.location.href to https://b.example.com/
• iframe (now on https://b.example.com/ ) loads nested iframe to another page on https://b.example.com/
• Nested iframe offers an <a href=""> directly to http://c.example.com/

The last link is blocked by browser's mixed-content security policy:

Chrome 30: [blocked] The page at https://b.example.com ran insecure content from http://c.example.com.

Firefox 23: Blocked loading mixed active content "http://c.example.com/"

How can i authorise this direct <a href=""> link to bypass mixed-content security policy?

Answer 1

I first thought of making the <a href=""> link point to https://b.example.com/ which would make a 302 redirect to the correct target on http://c.example.com/ , but i see Firefox are planning to block this as part of their mixed-content security strategy (bug #418354 and #456957)

Other solutions would be to rearchitect all physical hardware to merge the b.example.com and c.example.com machines; or to attempt to make c.example.com available over SSL (messy, multiple vhosts and SNI is not yet sufficiently compatible)

A simple target="_blank" seems to avoid the problem and although it's not ideal, in my case it's suitable and i think i'll use this solution. I'll leave the question in case there are any other solutions.