Tips on loading external css and javascript over https
Question
When setting up a site to run over https:// is there a way to stop the page from blocking any external css or javascript loaded from standard http:// .
Some of the external files are under the same domain, so could be called via https:// , but some are from another domain that has no secure connection available.
2 answers
solution1
7 ACCPTED 2013-01-14 11:21:11
There shouldn't be. Such security measures are in place for good reason.
Even if you could remove them, doing so would be a very bad idea.
A man-in-the-middle attack would allow the JS or CSS (which can have embedded JS via various browser extensions) to be substituted.
This would allow an attacker to run any JS they liked on the page.
That JS could grab any data from the page and send it to the attacker.
The page would not be secure.
Copy the assets somewhere that you can access them over HTTPS.
solution2
1 2013-01-14 11:47:26
You can rewrite your links without using scheme (like "//example.com/styles/mystyle.css").
See this questions for details
In case some external content is unavailable via HTTPS, you can make a HTTPS proxy on your server (with some sort of caching and ACL if you like).
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.