Https Web Security - Learning Module

Loading content...

0/228

Mixed Content: The Hidden HTTPS Vulnerability

When HTTPS Isn't Fully Secure

You've deployed your site over HTTPS, obtained valid certificates, and watched the padlock appear in browsers. Your site is secure, right? Not necessarily.

A critical vulnerability lurks in many HTTPS deployments: mixed content. When an HTTPS page loads resources (scripts, images, stylesheets, iframes) over unencrypted HTTP connections, the security guarantees of HTTPS are fundamentally compromised.

Mixed content is particularly insidious because it's invisible to casual users, may only appear under specific conditions, and can completely undermine the authentication and encryption HTTPS provides. Understanding and preventing mixed content is essential for any engineer deploying secure web applications.

In this comprehensive exploration, we'll dissect the mixed content problem—what it is, why it's dangerous, how browsers protect against it, and how to detect and eliminate it from your applications.

What You Will Learn

By the end of this page, you will understand: (1) What mixed content is and why it's dangerous, (2) The difference between active and passive mixed content, (3) How browsers handle mixed content, (4) Detection methods and tools, (5) Remediation strategies, and (6) Content Security Policy for mixed content protection.

Understanding Mixed Content

Mixed content occurs when an initial HTML document is loaded securely over HTTPS, but that document then loads sub-resources (scripts, stylesheets, images, videos, iframes, etc.) over insecure HTTP connections.

The Fundamental Problem:

HTTPS provides three guarantees:

Confidentiality: Encrypted data can't be read by network observers
Integrity: Modified data will be detected and rejected
Authenticity: You're communicating with the intended server

Mixed content breaks all three guarantees for the HTTP resources:

https://secure-bank.com/dashboard
    │
    ├── loads https://secure-bank.com/app.js    ✓ Protected
    ├── loads https://secure-bank.com/style.css ✓ Protected
    │
    └── loads http://cdn.example.com/widget.js  ✗ EXPOSED!
              ↑
              Man-in-the-middle can:
              - Read all data in this request
              - Modify the response (inject malicious code)
              - Impersonate the resource server

The Attack Scenario

An attacker on the same network (coffee shop WiFi, compromised router, ISP-level) can intercept HTTP requests. If your banking page loads one HTTP JavaScript file, the attacker can inject code that steals credentials, transfers funds, or installs malware—all while the user sees the padlock and thinks they're secure.

Why Does Mixed Content Exist?

Mixed content typically appears due to:

Legacy Integration: Old code written before HTTPS became universal
Third-Party Resources: CDNs, analytics, ads that only support HTTP
Hardcoded URLs: http:// explicitly written in HTML/CSS/JS
User-Generated Content: Users pasting HTTP links
Backend-Generated URLs: Server code constructing HTTP URLs
Protocol-Relative URLs: //example.com/resource on HTTP sites later migrated to HTTPS

Request Flow Comparison:

Converting Mermaid diagram...

Active vs Passive Mixed Content

Not all mixed content is equally dangerous. Browsers distinguish between two categories based on the potential impact of compromise:

Active Mixed Content (High Risk)

Active mixed content can modify the DOM, execute code, or interact with the page. Compromise of active content gives attackers full control of the page.

Blocked by default in all modern browsers.

Active Mixed Content Types
Resource Type	HTML Element	Risk
JavaScript	<script src="http://...">	Execute arbitrary code, steal all data
CSS Stylesheets	<link rel="stylesheet" href="http://...">	Can exfiltrate data via CSS injection
Iframes	<iframe src="http://...">	Full page takeover, phishing
XMLHttpRequest/Fetch	fetch('http://...')	Data exfiltration, CSRF
Web Workers	new Worker('http://...')	Background code execution
Fonts (@font-face)	@font-face { src: url('http://...') }	Limited, but possible exploits
Object/Embed	<object data="http://...">	Plugin code execution

Passive (Display) Mixed Content (Lower Risk)

Passive mixed content cannot execute code or directly access page content. The impact of compromise is limited to the content itself.

May be loaded with warnings, or blocked in stricter modes.

Passive Mixed Content Types
Resource Type	HTML Element	Risk
Images	<img src="http://...">	Display falsified images, track users
Video	<video src="http://...">	Replace video content, tracking
Audio	<audio src="http://...">	Replace audio, limited tracking

Passive Content Still Matters

While passive content can't execute code, it's still dangerous: (1) Attackers can replace images with misleading content (fake 'download' buttons, phishing), (2) Unique tracking pixels expose user behavior, (3) Visible HTTP warning indicators erode user trust, (4) Some 'passive' contexts can become active through browser bugs.

Why the Distinction?

Browsers make this distinction for practical migration reasons:

Active content is always blocked — The risk is too high to allow any execution
Passive content may be allowed with warnings — Enables gradual migration without completely breaking sites
Upgradeable resources — Some browsers automatically upgrade HTTP to HTTPS for certain resources

The Evolution:

Era	Active Mixed Content	Passive Mixed Content
Early 2010s	Warning only	No warning
Mid 2010s	Blocked by default	Warning shown
Late 2010s	Blocked	Blocked or upgraded
2020s	Blocked	Auto-upgraded to HTTPS

Modern browsers (Chrome 80+) attempt to auto-upgrade passive mixed content to HTTPS. If the HTTPS version fails, the resource is blocked.

How Browsers Handle Mixed Content

Browsers implement sophisticated mixed content protection, but behavior varies across browsers and evolves over time.

Chrome Mixed Content Behavior (2024):

Active Mixed Content: Blocked unconditionally, console error
Mixed Images: Auto-upgraded to HTTPS, blocked if fails
Mixed Audio/Video: Auto-upgraded to HTTPS, blocked if fails
Mixed Downloads: Blocked for dangerous file types (exe, dmg, etc.)

Visual Indicators:

🔒 Secure (HTTPS, no mixed content)
     → "Connection is secure" in address bar

⚠️  Not Secure (mixed content detected)
     → Warning triangle, "Not secure" or "Mixed content"

🔓 Not Secure (HTTP page or severe issues)
     → "Not secure" prominently displayed

Console Errors and Warnings:

// Active mixed content (script)
Mixed Content: The page at 'https://example.com/' was loaded over HTTPS, 
but requested an insecure script 'http://cdn.example.com/widget.js'. 
This request has been blocked; the content must be served over HTTPS.

// Passive mixed content (image, before auto-upgrade)
Mixed Content: The page at 'https://example.com/' was loaded over HTTPS, 
but requested an insecure image 'http://cdn.example.com/photo.jpg'. 
This content should also be served over HTTPS.

// Auto-upgrade notification
Automatically upgrading a mixed content request from 
'http://cdn.example.com/photo.jpg' to 'https://cdn.example.com/photo.jpg'

Firefox Behavior:

Similar to Chrome with some differences:

Uses shield icon to indicate blocked content
"Enable Protection" / "Disable Protection" toggle in URL bar
Settings page for per-site exceptions (not recommended)

Safari Behavior:

Blocks all active mixed content
Blocks mixed video/audio
May load mixed images with warnings in some contexts

Auto-Upgrading Mixed Content

Chrome's auto-upgrade feature attempts to load HTTP content over HTTPS instead. This helps sites that serve content over both protocols but have HTTP hardcoded in their pages. However, if the HTTPS version doesn't exist or fails, the content is blocked. This is why ensuring all resources are available over HTTPS is essential.

Mixed Content in Different Contexts:

Context	Active Content	Passive Content
Top-level HTTPS page	Blocked	Auto-upgraded
HTTPS iframe on HTTPS page	Blocked	Auto-upgraded
HTTP iframe on HTTPS page	Blocked entirely	Blocked entirely
HTTPS worker on HTTPS page	Blocked	N/A
Service Worker scope	Must be same-origin HTTPS	N/A

The upgrade-insecure-requests Directive:

CSP can instruct browsers to upgrade all requests:

Content-Security-Policy: upgrade-insecure-requests

This tells the browser to automatically rewrite all HTTP URLs to HTTPS before making requests. Unlike browser auto-upgrade, this applies to ALL resources, not just passive content.

Detecting Mixed Content

Finding all mixed content in a web application requires systematic detection across multiple sources.

Method 1: Browser Developer Tools

The most immediate approach—check the console after loading pages over HTTPS:

1. Open DevTools (F12)
2. Navigate to Console tab
3. Filter by "Mixed Content" or look for warnings
4. Check Network tab for HTTP requests
   - Filter: "scheme:http" or look for 🔓 icons

Limitations: Only detects mixed content on pages you visit, doesn't catch dynamic content or edge cases.

Method 2: Content Security Policy Reporting

Deploy CSP in report-only mode to collect violations:

Content-Security-Policy-Report-Only: 
  default-src https:;
  report-uri https://example.com/csp-reports;
  report-to csp-endpoint;

Report-To: {
  "group": "csp-endpoint",
  "max_age": 86400,
  "endpoints": [
    { "url": "https://example.com/csp-reports" }
  ]
}

Browsers will report violations without blocking, allowing you to discover mixed content from real user traffic.

CSP Report Format:

{
  "csp-report": {
    "document-uri": "https://example.com/page",
    "violated-directive": "img-src https:",
    "blocked-uri": "http://cdn.example.com/image.jpg",
    "line-number": 42,
    "source-file": "https://example.com/app.js"
  }
}

Method 3: Automated Scanners

Tools that crawl your site and identify mixed content:

# WebPageTest (includes mixed content detection)
https://www.webpagetest.org

# SSL Labs (certificate check + mixed content)
https://www.ssllabs.com/ssltest/

# Why No Padlock (targeted mixed content finder)
https://www.whynopadlock.com/

# Lighthouse (Chrome DevTools or CLI)
lighthouse https://example.com --output json

Method 4: Source Code Analysis

Grep for HTTP URLs in your codebase:

# Find hardcoded HTTP URLs in code
grep -rn 'http://' --include='*.html' --include='*.js' --include='*.css' .

# More targeted search
grep -rn 'src="http://' --include='*.html' .
grep -rn "src='http://" --include='*.html' .
grep -rn 'url(http://' --include='*.css' .

Mixed Content Detection Checklist

•Static HTML files — Search for src=, href=, action= with HTTP URLs
•CSS files — Search for url(http://...) in stylesheets
•JavaScript — Search for hardcoded HTTP URLs in fetch/XHR calls
•Server templates — Check URL generation in backend code
•CMS content — User-generated content may contain HTTP links
•Third-party widgets — Embedded content, analytics, ads
•Build processes — Asset URLs injected during build
•CDN configuration — Verify CDN serves content over HTTPS

Continuous Monitoring

CSP reporting should be always-on in production. New features, third-party updates, or content changes can introduce mixed content at any time. Automated monitoring catches issues before users report them.

Fixing Mixed Content: Remediation Strategies

Once mixed content is identified, remediation follows a systematic approach. The strategy depends on the source of the mixed content.

Strategy 1: Use Protocol-Relative URLs (Transitional)

<!-- Instead of -->
<script src="http://cdn.example.com/lib.js"></script>

<!-- Use -->
<script src="//cdn.example.com/lib.js"></script>

Protocol-relative URLs inherit the page's protocol. On HTTPS pages, they become HTTPS requests.

⚠️ Warning: This is a transitional solution. If the HTTPS version doesn't exist, this will break. Modern best practice is explicit HTTPS.

Strategy 2: Use Explicit HTTPS URLs (Recommended)

<!-- Best practice: explicit HTTPS -->
<script src="https://cdn.example.com/lib.js"></script>
<img src="https://images.example.com/photo.jpg">
<link rel="stylesheet" href="https://example.com/style.css">

This is the most reliable approach—ensures HTTPS is always used, fails loudly if HTTPS isn't available.

Strategy 3: Update Server URL Generation

Backend code often constructs URLs. Ensure HTTPS is used:

# Python/Django
from django.contrib.sites.models import Site

# Bad: may return HTTP
site = Site.objects.get_current()
url = f"http://{site.domain}/path"  

# Good: use request scheme or force HTTPS
url = request.build_absolute_uri('/path')  # Uses request's scheme
url = f"https://{site.domain}/path"  # Explicit HTTPS

// Node.js/Express
// Bad
const url = `http://${req.headers.host}/path`;

// Good: check for HTTPS or X-Forwarded-Proto
const protocol = req.secure || req.headers['x-forwarded-proto'] === 'https' 
  ? 'https' : 'http';
const url = `${protocol}://${req.headers.host}/path`;

// Best: always use HTTPS in production
const url = `https://${req.headers.host}/path`;

Strategy 4: Configure CDNs and Third Parties

Ensure all external services support HTTPS:

CDN Configuration:
├── Verify SSL/TLS is enabled on CDN
├── Update CDN origin to use HTTPS
├── Force HTTPS in CDN settings
└── Update all CDN URLs in application

Third-Party Services:
├── Google Analytics: Already HTTPS
├── Font services: Use HTTPS URLs
├── Ad networks: Contact for HTTPS support
└── Widgets: Update embed codes

Strategy 5: Use CSP upgrade-insecure-requests

For sites with many HTTP references, CSP can auto-upgrade:

# Upgrade all HTTP requests to HTTPS
Content-Security-Policy: upgrade-insecure-requests

How it works:

Browser intercepts all resource requests
HTTP URLs are rewritten to HTTPS
Request is made to HTTPS version
If HTTPS fails, request fails (no fallback to HTTP)

This is a transition tool, not a permanent solution—fix the underlying URLs.

Testing Upgrade-Insecure-Requests

Before deploying upgrade-insecure-requests, ensure all your resources are available over HTTPS. The directive will break resources that don't support HTTPS. Test thoroughly in staging with real content.

Strategy 6: Handle User-Generated Content

User content (comments, profiles, CMS entries) may contain HTTP links:

// Sanitize on input or output
function sanitizeContent(html) {
  // Replace HTTP with protocol-relative for same-site resources
  return html.replace(
    /src=["']http:\/\/example\.com\//g,
    'src="https://example.com/'
  );
}

// Or convert all image sources to HTTPS
function upgradeImageUrls(html) {
  return html.replace(
    /<img([^>]*)src=["']http:\/\//gi,
    '<img$1src="https://'
  );
}

For truly external HTTP images, consider:

Proxy through your HTTPS server
Replace with placeholder indicating insecure content
Store copies of images on your HTTPS CDN

Content Security Policy for Mixed Content Protection

Content Security Policy (CSP) provides the most robust defense against mixed content by explicitly declaring what sources are permitted for each resource type.

Basic HTTPS-Enforcing CSP:

Content-Security-Policy: default-src https:; script-src https:; style-src https:; img-src https: data:; font-src https: data:;

This policy:

Allows all resources ONLY from HTTPS sources
Includes data: URIs for inline images and fonts (common requirement)
Blocks any HTTP resources

Strict CSP with Specific Sources:

Content-Security-Policy: 
  default-src 'none';
  script-src 'self' https://cdn.example.com;
  style-src 'self' https://fonts.googleapis.com;
  img-src 'self' https://images.example.com data:;
  font-src 'self' https://fonts.gstatic.com;
  connect-src 'self' https://api.example.com;
  frame-src https://www.youtube.com;
  base-uri 'self';
  form-action 'self';

CSP Directives for Mixed Content:

Directive	Controls	Example
`default-src`	Fallback for all resource types	`default-src https:`
`script-src`	JavaScript sources	`script-src https://cdn.example.com`
`style-src`	CSS sources	`style-src 'self' https:`
`img-src`	Image sources	`img-src https: data:`
`font-src`	Font sources	`font-src https://fonts.gstatic.com`
`connect-src`	Fetch/XHR/WebSocket	`connect-src https://api.example.com`
`frame-src`	iframe sources	`frame-src https:`
`media-src`	Audio/video	`media-src https:`
`object-src`	Plugins (Flash, etc.)	`object-src 'none'`
`block-all-mixed-content`	Block all mixed content	`block-all-mixed-content` (deprecated)
`upgrade-insecure-requests`	Auto-upgrade HTTP to HTTPS	`upgrade-insecure-requests`

block-all-mixed-content vs upgrade-insecure-requests:

# Block approach: any HTTP request fails
Content-Security-Policy: block-all-mixed-content

# Upgrade approach: try HTTPS first, fail if unavailable  
Content-Security-Policy: upgrade-insecure-requests

upgrade-insecure-requests is generally preferred—it provides a migration path while still ensuring security.

CSP Migration Strategy

Start with CSP in report-only mode to discover violations without breaking your site. Once you've fixed issues, switch to enforcing mode. Use Content-Security-Policy-Report-Only with identical directives to continue monitoring even after enforcement.

Implementing CSP:

# Nginx
add_header Content-Security-Policy "default-src https:; upgrade-insecure-requests;" always;

# Report-only mode for testing
add_header Content-Security-Policy-Report-Only "default-src https:; report-uri /csp-reports;" always;

// Express.js using helmet
const helmet = require('helmet');

app.use(helmet.contentSecurityPolicy({
  directives: {
    defaultSrc: ["'self'", "https:"],
    scriptSrc: ["'self'", "https://cdn.example.com"],
    imgSrc: ["'self'", "https:", "data:"],
    upgradeInsecureRequests: [],
  },
}));

<!-- Meta tag (limited, can't use report-uri) -->
<meta http-equiv="Content-Security-Policy" 
      content="default-src https:; upgrade-insecure-requests;">

Edge Cases and Gotchas

Mixed content detection and prevention has several edge cases that can trip up even experienced developers.

Common Mixed Content Gotchas

•Dynamic Content Injection JavaScript that constructs URLs may use HTTP based on variables or API responses. Test with production-like data.
•CSS url() References Background images, fonts, and cursors in CSS can introduce mixed content. Tools often miss these.
•Favicon HTTP favicons are fetched separately and may be missed. Use <link rel="icon" href="https://..."> explicitly.
•manifest.json Icons PWA manifests reference icons that must be HTTPS. Check app manifest files.
•Open Graph / Twitter Cards Social media meta tags with HTTP image URLs may not trigger browser warnings but will fail on social platforms.
•Sourcemaps JavaScript sourcemaps referenced via //# sourceMappingURL= can be HTTP. Not a security issue but may confuse debuggers.
•WebSocket Connections ws:// on an HTTPS page is mixed content. Use wss:// for secure WebSockets.
•Service Worker Scope Service workers must be served over HTTPS and can only control HTTPS pages. Any HTTP requests will bypass the worker.

The Referrer-Policy Interaction:

When following HTTP links from HTTPS pages, the Referrer header behavior depends on Referrer-Policy:

# Strict: no referrer to HTTP destinations
Referrer-Policy: strict-origin-when-cross-origin

# With this policy:
https://example.com → https://other.com → Referrer: https://example.com/
https://example.com → http://other.com  → Referrer: (none)

This is a security feature—HTTPS page URLs shouldn't leak to HTTP destinations.

The <base> Tag Trap:

<!-- If your page has -->
<base href="http://example.com/">

<!-- Then relative URLs become HTTP -->
<script src="/app.js"></script>  <!-- Becomes http://example.com/app.js -->

Ensure <base> tags use HTTPS or remove them entirely.

Iframes and Nested Contexts

An HTTPS page embedding an HTTP iframe is mixed content and will be blocked. But an HTTPS iframe from a third party may itself load HTTP resources—and that's harder to detect. You're trusting the iframe source to also be fully secure.

Planning an HTTP to HTTPS Migration

Migrating a site from HTTP to HTTPS while avoiding mixed content requires systematic planning.

Phase 1: Audit (Before Migration)

Crawl entire site and catalog all HTTP resource references
Identify third-party services and confirm HTTPS support
Check CDN HTTPS configuration
Review server-side URL generation code
Audit CMS content for hardcoded HTTP links

Phase 2: Prepare Resources

Configure all servers/CDNs for HTTPS
Obtain and install certificates
Test HTTPS versions of all resource URLs
Update hardcoded URLs in codebase
Configure server URL generation for HTTPS

Phase 3: Deploy with CSP

# Start with report-only to detect issues
Content-Security-Policy-Report-Only: 
  default-src https:;
  upgrade-insecure-requests;
  report-uri /csp-reports;

Monitor reports, fix violations, iterate.

Converting Mermaid diagram...

Phase 4: Migration Execution

Deploy upgrade-insecure-requests CSP
Enable HTTP to HTTPS redirects (301 Permanent)
Update canonical URLs and sitemaps
Submit updated sitemaps to search engines
Monitor for mixed content reports and errors

Phase 5: Lock Down with HSTS

Once confident there's no mixed content:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

This instructs browsers to always use HTTPS, preventing any HTTP requests.

Phase 6: Ongoing Monitoring

Keep CSP reporting enabled
Monitor for new violations from deployments/content changes
Periodically audit third-party resources
Test with automated tools in CI/CD

CI/CD Integration

Add mixed content checks to your CI/CD pipeline using tools like Lighthouse or custom scripts. Catch mixed content introduction before it reaches production.

Summary: Mixed Content Mastery

We've comprehensively explored mixed content—the subtle vulnerability that can undermine HTTPS security. Let's consolidate the essential concepts:

Key Takeaways

•Mixed Content Definition — HTTP resources loaded on HTTPS pages, breaking confidentiality, integrity, and authenticity.
•Active vs Passive — Active content (scripts, iframes) is blocked; passive content (images) may be auto-upgraded or warned.
•Browser Behavior — Modern browsers block active mixed content and auto-upgrade passive content to HTTPS.
•Detection — Use browser DevTools, CSP reporting, automated scanners, and codebase searches.
•Remediation — Update to explicit HTTPS URLs, configure servers/CDNs, use CSP upgrade-insecure-requests.
•CSP Protection — Content-Security-Policy with HTTPS-only sources provides robust defense.
•Migration Planning — Audit → Prepare → Deploy CSP → Fix → Enforce → HSTS → Monitor.

What's Next:

With mixed content understood, the next page examines HTTP Strict Transport Security (HSTS)—the mechanism that instructs browsers to always use HTTPS, preventing protocol downgrade attacks and ensuring connections start secure.

Page Complete

You now understand mixed content thoroughly—from the security risks through browser handling, detection, and remediation. Apply this knowledge to audit your applications and ensure HTTPS provides its full security benefits.

Mixed Content: The Hidden HTTPS Vulnerability

When HTTPS Isn't Fully Secure

You've deployed your site over HTTPS, obtained valid certificates, and watched the padlock appear in browsers. Your site is secure, right? Not necessarily.

What You Will Learn

Understanding Mixed Content

The Fundamental Problem:

HTTPS provides three guarantees:

Confidentiality: Encrypted data can't be read by network observers
Integrity: Modified data will be detected and rejected
Authenticity: You're communicating with the intended server

Mixed content breaks all three guarantees for the HTTP resources:

https://secure-bank.com/dashboard
    │
    ├── loads https://secure-bank.com/app.js    ✓ Protected
    ├── loads https://secure-bank.com/style.css ✓ Protected
    │
    └── loads http://cdn.example.com/widget.js  ✗ EXPOSED!
              ↑
              Man-in-the-middle can:
              - Read all data in this request
              - Modify the response (inject malicious code)
              - Impersonate the resource server

The Attack Scenario

Why Does Mixed Content Exist?

Mixed content typically appears due to:

Legacy Integration: Old code written before HTTPS became universal
Third-Party Resources: CDNs, analytics, ads that only support HTTP
Hardcoded URLs: http:// explicitly written in HTML/CSS/JS
User-Generated Content: Users pasting HTTP links
Backend-Generated URLs: Server code constructing HTTP URLs
Protocol-Relative URLs: //example.com/resource on HTTP sites later migrated to HTTPS

Request Flow Comparison:

Converting Mermaid diagram...

Active vs Passive Mixed Content

Not all mixed content is equally dangerous. Browsers distinguish between two categories based on the potential impact of compromise:

Active Mixed Content (High Risk)

Active mixed content can modify the DOM, execute code, or interact with the page. Compromise of active content gives attackers full control of the page.

Blocked by default in all modern browsers.

Active Mixed Content Types
Resource Type	HTML Element	Risk
JavaScript	<script src="http://...">	Execute arbitrary code, steal all data
CSS Stylesheets	<link rel="stylesheet" href="http://...">	Can exfiltrate data via CSS injection
Iframes	<iframe src="http://...">	Full page takeover, phishing
XMLHttpRequest/Fetch	fetch('http://...')	Data exfiltration, CSRF
Web Workers	new Worker('http://...')	Background code execution
Fonts (@font-face)	@font-face { src: url('http://...') }	Limited, but possible exploits
Object/Embed	<object data="http://...">	Plugin code execution

Passive (Display) Mixed Content (Lower Risk)

Passive mixed content cannot execute code or directly access page content. The impact of compromise is limited to the content itself.

May be loaded with warnings, or blocked in stricter modes.

Passive Mixed Content Types
Resource Type	HTML Element	Risk
Images	<img src="http://...">	Display falsified images, track users
Video	<video src="http://...">	Replace video content, tracking
Audio	<audio src="http://...">	Replace audio, limited tracking

Passive Content Still Matters

Why the Distinction?

Browsers make this distinction for practical migration reasons:

Active content is always blocked — The risk is too high to allow any execution
Passive content may be allowed with warnings — Enables gradual migration without completely breaking sites
Upgradeable resources — Some browsers automatically upgrade HTTP to HTTPS for certain resources

The Evolution:

Era	Active Mixed Content	Passive Mixed Content
Early 2010s	Warning only	No warning
Mid 2010s	Blocked by default	Warning shown
Late 2010s	Blocked	Blocked or upgraded
2020s	Blocked	Auto-upgraded to HTTPS

Modern browsers (Chrome 80+) attempt to auto-upgrade passive mixed content to HTTPS. If the HTTPS version fails, the resource is blocked.

How Browsers Handle Mixed Content

Browsers implement sophisticated mixed content protection, but behavior varies across browsers and evolves over time.

Chrome Mixed Content Behavior (2024):

Active Mixed Content: Blocked unconditionally, console error
Mixed Images: Auto-upgraded to HTTPS, blocked if fails
Mixed Audio/Video: Auto-upgraded to HTTPS, blocked if fails
Mixed Downloads: Blocked for dangerous file types (exe, dmg, etc.)

Visual Indicators:

🔒 Secure (HTTPS, no mixed content)
     → "Connection is secure" in address bar

⚠️  Not Secure (mixed content detected)
     → Warning triangle, "Not secure" or "Mixed content"

🔓 Not Secure (HTTP page or severe issues)
     → "Not secure" prominently displayed

Console Errors and Warnings:

// Active mixed content (script)
Mixed Content: The page at 'https://example.com/' was loaded over HTTPS, 
but requested an insecure script 'http://cdn.example.com/widget.js'. 
This request has been blocked; the content must be served over HTTPS.

// Passive mixed content (image, before auto-upgrade)
Mixed Content: The page at 'https://example.com/' was loaded over HTTPS, 
but requested an insecure image 'http://cdn.example.com/photo.jpg'. 
This content should also be served over HTTPS.

// Auto-upgrade notification
Automatically upgrading a mixed content request from 
'http://cdn.example.com/photo.jpg' to 'https://cdn.example.com/photo.jpg'

Firefox Behavior:

Similar to Chrome with some differences:

Uses shield icon to indicate blocked content
"Enable Protection" / "Disable Protection" toggle in URL bar
Settings page for per-site exceptions (not recommended)

Safari Behavior:

Blocks all active mixed content
Blocks mixed video/audio
May load mixed images with warnings in some contexts

Auto-Upgrading Mixed Content

Mixed Content in Different Contexts:

Context	Active Content	Passive Content
Top-level HTTPS page	Blocked	Auto-upgraded
HTTPS iframe on HTTPS page	Blocked	Auto-upgraded
HTTP iframe on HTTPS page	Blocked entirely	Blocked entirely
HTTPS worker on HTTPS page	Blocked	N/A
Service Worker scope	Must be same-origin HTTPS	N/A

The upgrade-insecure-requests Directive:

CSP can instruct browsers to upgrade all requests:

Content-Security-Policy: upgrade-insecure-requests

This tells the browser to automatically rewrite all HTTP URLs to HTTPS before making requests. Unlike browser auto-upgrade, this applies to ALL resources, not just passive content.

Detecting Mixed Content

Finding all mixed content in a web application requires systematic detection across multiple sources.

Method 1: Browser Developer Tools

The most immediate approach—check the console after loading pages over HTTPS:

1. Open DevTools (F12)
2. Navigate to Console tab
3. Filter by "Mixed Content" or look for warnings
4. Check Network tab for HTTP requests
   - Filter: "scheme:http" or look for 🔓 icons

Limitations: Only detects mixed content on pages you visit, doesn't catch dynamic content or edge cases.

Method 2: Content Security Policy Reporting

Deploy CSP in report-only mode to collect violations:

Content-Security-Policy-Report-Only: 
  default-src https:;
  report-uri https://example.com/csp-reports;
  report-to csp-endpoint;

Report-To: {
  "group": "csp-endpoint",
  "max_age": 86400,
  "endpoints": [
    { "url": "https://example.com/csp-reports" }
  ]
}

Browsers will report violations without blocking, allowing you to discover mixed content from real user traffic.

CSP Report Format:

{
  "csp-report": {
    "document-uri": "https://example.com/page",
    "violated-directive": "img-src https:",
    "blocked-uri": "http://cdn.example.com/image.jpg",
    "line-number": 42,
    "source-file": "https://example.com/app.js"
  }
}

Method 3: Automated Scanners

Tools that crawl your site and identify mixed content:

# WebPageTest (includes mixed content detection)
https://www.webpagetest.org

# SSL Labs (certificate check + mixed content)
https://www.ssllabs.com/ssltest/

# Why No Padlock (targeted mixed content finder)
https://www.whynopadlock.com/

# Lighthouse (Chrome DevTools or CLI)
lighthouse https://example.com --output json

Method 4: Source Code Analysis

Grep for HTTP URLs in your codebase:

# Find hardcoded HTTP URLs in code
grep -rn 'http://' --include='*.html' --include='*.js' --include='*.css' .

# More targeted search
grep -rn 'src="http://' --include='*.html' .
grep -rn "src='http://" --include='*.html' .
grep -rn 'url(http://' --include='*.css' .

Mixed Content Detection Checklist

•Static HTML files — Search for src=, href=, action= with HTTP URLs
•CSS files — Search for url(http://...) in stylesheets
•JavaScript — Search for hardcoded HTTP URLs in fetch/XHR calls
•Server templates — Check URL generation in backend code
•CMS content — User-generated content may contain HTTP links
•Third-party widgets — Embedded content, analytics, ads
•Build processes — Asset URLs injected during build
•CDN configuration — Verify CDN serves content over HTTPS

Continuous Monitoring

Fixing Mixed Content: Remediation Strategies

Once mixed content is identified, remediation follows a systematic approach. The strategy depends on the source of the mixed content.

Strategy 1: Use Protocol-Relative URLs (Transitional)

<!-- Instead of -->
<script src="http://cdn.example.com/lib.js"></script>

<!-- Use -->
<script src="//cdn.example.com/lib.js"></script>

Protocol-relative URLs inherit the page's protocol. On HTTPS pages, they become HTTPS requests.

⚠️ Warning: This is a transitional solution. If the HTTPS version doesn't exist, this will break. Modern best practice is explicit HTTPS.

Strategy 2: Use Explicit HTTPS URLs (Recommended)

<!-- Best practice: explicit HTTPS -->
<script src="https://cdn.example.com/lib.js"></script>
<img src="https://images.example.com/photo.jpg">
<link rel="stylesheet" href="https://example.com/style.css">

This is the most reliable approach—ensures HTTPS is always used, fails loudly if HTTPS isn't available.

Strategy 3: Update Server URL Generation

Backend code often constructs URLs. Ensure HTTPS is used:

# Python/Django
from django.contrib.sites.models import Site

# Bad: may return HTTP
site = Site.objects.get_current()
url = f"http://{site.domain}/path"  

# Good: use request scheme or force HTTPS
url = request.build_absolute_uri('/path')  # Uses request's scheme
url = f"https://{site.domain}/path"  # Explicit HTTPS

// Node.js/Express
// Bad
const url = `http://${req.headers.host}/path`;

// Good: check for HTTPS or X-Forwarded-Proto
const protocol = req.secure || req.headers['x-forwarded-proto'] === 'https' 
  ? 'https' : 'http';
const url = `${protocol}://${req.headers.host}/path`;

// Best: always use HTTPS in production
const url = `https://${req.headers.host}/path`;

Strategy 4: Configure CDNs and Third Parties

Ensure all external services support HTTPS:

CDN Configuration:
├── Verify SSL/TLS is enabled on CDN
├── Update CDN origin to use HTTPS
├── Force HTTPS in CDN settings
└── Update all CDN URLs in application

Third-Party Services:
├── Google Analytics: Already HTTPS
├── Font services: Use HTTPS URLs
├── Ad networks: Contact for HTTPS support
└── Widgets: Update embed codes

Strategy 5: Use CSP upgrade-insecure-requests

For sites with many HTTP references, CSP can auto-upgrade:

# Upgrade all HTTP requests to HTTPS
Content-Security-Policy: upgrade-insecure-requests

How it works:

Browser intercepts all resource requests
HTTP URLs are rewritten to HTTPS
Request is made to HTTPS version
If HTTPS fails, request fails (no fallback to HTTP)

This is a transition tool, not a permanent solution—fix the underlying URLs.

Testing Upgrade-Insecure-Requests

Strategy 6: Handle User-Generated Content

User content (comments, profiles, CMS entries) may contain HTTP links:

// Sanitize on input or output
function sanitizeContent(html) {
  // Replace HTTP with protocol-relative for same-site resources
  return html.replace(
    /src=["']http:\/\/example\.com\//g,
    'src="https://example.com/'
  );
}

// Or convert all image sources to HTTPS
function upgradeImageUrls(html) {
  return html.replace(
    /<img([^>]*)src=["']http:\/\//gi,
    '<img$1src="https://'
  );
}

For truly external HTTP images, consider:

Proxy through your HTTPS server
Replace with placeholder indicating insecure content
Store copies of images on your HTTPS CDN

Content Security Policy for Mixed Content Protection

Content Security Policy (CSP) provides the most robust defense against mixed content by explicitly declaring what sources are permitted for each resource type.

Basic HTTPS-Enforcing CSP:

Content-Security-Policy: default-src https:; script-src https:; style-src https:; img-src https: data:; font-src https: data:;

This policy:

Allows all resources ONLY from HTTPS sources
Includes data: URIs for inline images and fonts (common requirement)
Blocks any HTTP resources

Strict CSP with Specific Sources:

Content-Security-Policy: 
  default-src 'none';
  script-src 'self' https://cdn.example.com;
  style-src 'self' https://fonts.googleapis.com;
  img-src 'self' https://images.example.com data:;
  font-src 'self' https://fonts.gstatic.com;
  connect-src 'self' https://api.example.com;
  frame-src https://www.youtube.com;
  base-uri 'self';
  form-action 'self';

CSP Directives for Mixed Content:

Directive	Controls	Example
`default-src`	Fallback for all resource types	`default-src https:`
`script-src`	JavaScript sources	`script-src https://cdn.example.com`
`style-src`	CSS sources	`style-src 'self' https:`
`img-src`	Image sources	`img-src https: data:`
`font-src`	Font sources	`font-src https://fonts.gstatic.com`
`connect-src`	Fetch/XHR/WebSocket	`connect-src https://api.example.com`
`frame-src`	iframe sources	`frame-src https:`
`media-src`	Audio/video	`media-src https:`
`object-src`	Plugins (Flash, etc.)	`object-src 'none'`
`block-all-mixed-content`	Block all mixed content	`block-all-mixed-content` (deprecated)
`upgrade-insecure-requests`	Auto-upgrade HTTP to HTTPS	`upgrade-insecure-requests`

block-all-mixed-content vs upgrade-insecure-requests:

# Block approach: any HTTP request fails
Content-Security-Policy: block-all-mixed-content

# Upgrade approach: try HTTPS first, fail if unavailable  
Content-Security-Policy: upgrade-insecure-requests

upgrade-insecure-requests is generally preferred—it provides a migration path while still ensuring security.

CSP Migration Strategy

Implementing CSP:

# Nginx
add_header Content-Security-Policy "default-src https:; upgrade-insecure-requests;" always;

# Report-only mode for testing
add_header Content-Security-Policy-Report-Only "default-src https:; report-uri /csp-reports;" always;

// Express.js using helmet
const helmet = require('helmet');

app.use(helmet.contentSecurityPolicy({
  directives: {
    defaultSrc: ["'self'", "https:"],
    scriptSrc: ["'self'", "https://cdn.example.com"],
    imgSrc: ["'self'", "https:", "data:"],
    upgradeInsecureRequests: [],
  },
}));

<!-- Meta tag (limited, can't use report-uri) -->
<meta http-equiv="Content-Security-Policy" 
      content="default-src https:; upgrade-insecure-requests;">

Edge Cases and Gotchas

Mixed content detection and prevention has several edge cases that can trip up even experienced developers.

Common Mixed Content Gotchas

•Dynamic Content Injection JavaScript that constructs URLs may use HTTP based on variables or API responses. Test with production-like data.
•CSS url() References Background images, fonts, and cursors in CSS can introduce mixed content. Tools often miss these.
•Favicon HTTP favicons are fetched separately and may be missed. Use <link rel="icon" href="https://..."> explicitly.
•manifest.json Icons PWA manifests reference icons that must be HTTPS. Check app manifest files.
•Open Graph / Twitter Cards Social media meta tags with HTTP image URLs may not trigger browser warnings but will fail on social platforms.
•Sourcemaps JavaScript sourcemaps referenced via //# sourceMappingURL= can be HTTP. Not a security issue but may confuse debuggers.
•WebSocket Connections ws:// on an HTTPS page is mixed content. Use wss:// for secure WebSockets.
•Service Worker Scope Service workers must be served over HTTPS and can only control HTTPS pages. Any HTTP requests will bypass the worker.

The Referrer-Policy Interaction:

When following HTTP links from HTTPS pages, the Referrer header behavior depends on Referrer-Policy:

# Strict: no referrer to HTTP destinations
Referrer-Policy: strict-origin-when-cross-origin

# With this policy:
https://example.com → https://other.com → Referrer: https://example.com/
https://example.com → http://other.com  → Referrer: (none)

This is a security feature—HTTPS page URLs shouldn't leak to HTTP destinations.

The <base> Tag Trap:

<!-- If your page has -->
<base href="http://example.com/">

<!-- Then relative URLs become HTTP -->
<script src="/app.js"></script>  <!-- Becomes http://example.com/app.js -->

Ensure <base> tags use HTTPS or remove them entirely.

Iframes and Nested Contexts

Planning an HTTP to HTTPS Migration

Migrating a site from HTTP to HTTPS while avoiding mixed content requires systematic planning.

Phase 1: Audit (Before Migration)

Crawl entire site and catalog all HTTP resource references
Identify third-party services and confirm HTTPS support
Check CDN HTTPS configuration
Review server-side URL generation code
Audit CMS content for hardcoded HTTP links

Phase 2: Prepare Resources

Configure all servers/CDNs for HTTPS
Obtain and install certificates
Test HTTPS versions of all resource URLs
Update hardcoded URLs in codebase
Configure server URL generation for HTTPS

Phase 3: Deploy with CSP

# Start with report-only to detect issues
Content-Security-Policy-Report-Only: 
  default-src https:;
  upgrade-insecure-requests;
  report-uri /csp-reports;

Monitor reports, fix violations, iterate.

Converting Mermaid diagram...

Phase 4: Migration Execution

Deploy upgrade-insecure-requests CSP
Enable HTTP to HTTPS redirects (301 Permanent)
Update canonical URLs and sitemaps
Submit updated sitemaps to search engines
Monitor for mixed content reports and errors

Phase 5: Lock Down with HSTS

Once confident there's no mixed content:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

This instructs browsers to always use HTTPS, preventing any HTTP requests.

Phase 6: Ongoing Monitoring

Keep CSP reporting enabled
Monitor for new violations from deployments/content changes
Periodically audit third-party resources
Test with automated tools in CI/CD

CI/CD Integration

Add mixed content checks to your CI/CD pipeline using tools like Lighthouse or custom scripts. Catch mixed content introduction before it reaches production.

Summary: Mixed Content Mastery

We've comprehensively explored mixed content—the subtle vulnerability that can undermine HTTPS security. Let's consolidate the essential concepts:

Key Takeaways

•Mixed Content Definition — HTTP resources loaded on HTTPS pages, breaking confidentiality, integrity, and authenticity.
•Active vs Passive — Active content (scripts, iframes) is blocked; passive content (images) may be auto-upgraded or warned.
•Browser Behavior — Modern browsers block active mixed content and auto-upgrade passive content to HTTPS.
•Detection — Use browser DevTools, CSP reporting, automated scanners, and codebase searches.
•Remediation — Update to explicit HTTPS URLs, configure servers/CDNs, use CSP upgrade-insecure-requests.
•CSP Protection — Content-Security-Policy with HTTPS-only sources provides robust defense.
•Migration Planning — Audit → Prepare → Deploy CSP → Fix → Enforce → HSTS → Monitor.

What's Next:

Page Complete