I'm aware that, essentially, https encrypts data being sent and received so it seems to me that nothing is compromised except the data being sent to or from http, but this question is more for clarification, so does having content served over http make other data insecure? For example, if I'm requesting public images over http on my server with SSL, am I compromising anything else besides the data of those images and the privacy that a user is viewing this data?
Asked
Active
Viewed 50 times
1 Answers
1
Chrome and Firefox (I can't speak to Safari and IE, they might as well) block mixed-content on a HTTPS page.
If the page's URL has https as the scheme, all assets on that page must be loaded via HTTPS. Images, fonts, JavaScript, iframes - if it's not HTTPS, it won't show up.
It's for the user's protection. There are a variety of potential attacks. An image loaded via HTTP on a HTTPS page could be swapped out for a different image, which might be a problem if your neighbor's face shows up on the FBI's Most Wanted list. A JavaScript asset loaded via HTTP could be MITMed to send your credit card to an attacker's server. etc.
ceejayoz
- 33,432