- Published on
Can I use http on a website using https?
- Authors
- Name
- AmBob
- @millken2
Can I use http on a website using https?
Answer:
Before, you could use http through Upgradeable Content such as img and video, but now you can't, because using http to request/respond/download something on a website using https will generate mixed content, which is unsafe and will be directly blocked by the browser.
Background Introduction
Imagine a scenario where we use an HTTP get request to obtain some data on a website using the https protocol. Our browser will block this request and report an error in the console, as follows:
Mixed Content: The page at '<URL>' was loaded over HTTPS,
but requested an insecure XMLHttpRequest
endpoint '<URL>'. This request has been blocked; the content must be served over HTTPS.
Then an important concept is involved here. What is Mixed Content and why is it blocked?
Then we will focus on these concepts and see what the browser does to ensure our security and how to avoid these errors.
Introduction to Mixed Content
As for what is mixed content, the key to understanding it lies in this mix, which is translated as mixing. Well, that is to say, the condition for generating mix is that we use unsafe operations on a secure website, such as:
- request
- response
- or through an insecure download
and so on, all of which are called mixed content.
The security of mixed content is divided into two categories:
- Relatively unsafe, can be upgraded: Upgradeable Content
- Very unsafe, must be upgraded: Blockable Content
(PS: The upgrade here is, for example, upgrading http to https)
Upgradeable Content
These resource types are Upgradeable does not mean they are safe, but they are less catastrophic than other resource types.
For example, images and icons are often central UI elements in application interfaces. If an attacker reverses the "delete email" and "reply" icons, it will have a real impact on users.
Common Upgradeable Content types are as follows:
<img> (src attribute)
<audio> (src attribute)
<video> (src attribute)
<object> subresources (when an <object> performs HTTP requests)
Blockable Content
Definition: Any mixed-content that cannot be Upgradeable as defined above is considered Blockable Content.
Common Blockable Content types are as follows: html <script> (src attribute) <link> (href attribute) (this includes CSS stylesheets) <iframe> (src attribute) fetch() requests XMLHttpRequest requests All cases in CSS where a url() value is used (@font-face, cursor, background-image, and so forth). <object> (data attribute) Navigator.sendBeacon (url attribute)