0

Our product has a collection of sites and the main page contain 3 iframes which loads these different web sites. We are going to enable SSL on all the site. We allow html user data to be displayed in our systems. Currently we put this on hold since we experience Mixed Content Issues because of following reasons.

  • Some of the elements in the user’s data which refers http content. Ex: img, js etc
  • Some of the third party which loads in our iframes. (Different content provider)

We thought of developing our own web proxy, we do have concern about performance as well as expensiveness of this solution. Can anybody tell what are the available solutions for the Mixed Content Issues and available third party web proxy where we can buy?

Eranga
  • 32,181
  • 5
  • 97
  • 96

3 Answers3

2

The best solution would probably be to purchase remote servers from some service (google will give you millions of hits) and then set up a CGI script to load the insecure content on to the remote server, cache it, and then serve that content. That way your users are protected from 3rd parties knowing what they look at and if you set up your SSL certificate on those servers then you can easily get around the mixed content.

That being said, there will be a big hiccup when you start loading your user's content off the remote server as it will have to start caching everything.

randomusername
  • 7,927
  • 23
  • 50
1

Using a web proxy is not a good solution for following reasons:

  • We have performance problem and expensiveness of this solution like you said.
  • The most problematic of this solution is we still have security vulnerability. The point of using https on a site is to prevent the site from sniffers and man-in-middle attack. If you use a web proxy, the connection between your browser and your proxy is still vulnerable.
  • I'm not sure whether a web proxy would help in anyway because the browser always interprets these links as http even if your server is SSL enabled.

For more information about mixed content: https://developer.mozilla.org/en-US/docs/Security/MixedContent

The correct way to deal with this situation is you must modify all your links to load content with https. Or a better way is to use protocol relative url

<script src="//scripts/main.js"></script>
Khanh TO
  • 48,509
  • 13
  • 99
  • 115
  • Thanks. But the problem is we are dealing with 3rd party content and that it worked before the blocking. – Eranga Mar 07 '15 at 03:39
  • @Eranga: If that's the case, you should try to use https version of your 3rd party content. If there is no https version, I don't think this issue could be solved effectively. Looks like this official page has the same idea: https://developer.mozilla.org/en-US/docs/Security/MixedContent/How_to_fix_website_with_mixed_content – Khanh TO Mar 07 '15 at 04:53
  • Some of the 3rd parties don't have https support. Negotiating with them to change is not feasible. – Eranga Mar 08 '15 at 17:01
  • @Eranga: I'm afraid that's the only solution. The point is you have to modify links on `client side`. Anything you do on server does not help because browsers still interpret these links as http – Khanh TO Mar 09 '15 at 13:13
1

Mixed content warnings are built into browsers by design to indicate exactly what they mean. You can turn them off in settings or just click ok, so by throwing the mixed content, you're degrading UI, but not functionality.

A few things come to mind, since the providers can't change their content:

  1. Write a back end scraper for your app that scrapes the web page and servers the content locally over https.

  2. Don't render the content immediately, make the user click on it to open the iframe so that at least your page loads and you can warn the user (optional).

  3. Enhance either solution by checking for https first, a lot of websites have 80 and 443 both open, but as you pointed out, not everybody.

  4. Not too familiar with this one, but you can maybe even have the server instance of internet explorer open the pages and cache them for you simplifying the scrape.

If I was writing this, I would check for https when possible and allow the mixed content warnings as all that's by design.

DisappointedByUnaccountableMod
  • 6,656
  • 4
  • 18
  • 22
RandomUs1r
  • 4,010
  • 1
  • 24
  • 44