22

I'm using Jira in https and I have some adjustments I'd like to make with some extra JS. My JS is hosted on an insecure server (no https available).

When I dynamically load the insecure JS file by inserting it into the DOM (using a browser extension), Chrome tells me:

[blocked] The page at https://jiraserver/browse ran insecure content from http://myserver/jira.js.

I can see how this is very secure and all, but I don't care. I want to load that insecure JS file. How can I tell Chrome to trust me and just do what I say?

My insertion method (in the extension code):

document.body.appendChild((function(s){s.src='http://myserver/jira.js';return s;})(document.createElement('script')));
Rudie
  • 52,220
  • 42
  • 131
  • 173
  • 1
    why can't you use "https:// myserver/jira.js" ? – ama2 Dec 27 '12 at 17:45
  • Why not append the source of jira.js to the body instead of trying to have the browser download it? – jeremy Dec 27 '12 at 17:50
  • @ama2 Because `myserver` doesn't server https. It doesn't have a certificate. @jeremy How would I get the source code? The point is to have the source code 'dynamic' so it can change on myserver and automatically change on `jiraserver`. – Rudie Dec 28 '12 at 00:57
  • 2
    I think this answers better to you question: http://superuser.com/questions/487748/how-to-allow-chrome-browser-to-load-insecure-content – Tony Chen Oct 02 '13 at 02:28

4 Answers4

19

According to this Chrome Support Q&A you can launch your Chrome with the following command line flag to prevent Chrome from checking for insecure content:

--allow-running-insecure-content

Here is some documentation on how to run Chrome with command flags

rstackhouse
  • 2,238
  • 24
  • 28
ariera
  • 996
  • 8
  • 26
  • 1
    Woohoo! Grazi. I actually think I've seen that page before... Maybe I thought it was too much of an effort to add that flag. Still think it's stupid it's not a configurable. – Rudie Mar 14 '13 at 20:14
  • For mac user:`'/Applications/Google Chrome.app/Contents/MacOS/Google Chrome' --allow-running-insecure-content > /dev/null 2>&1 &` from http://superuser.com/a/524510/290504 – Anderson Jan 27 '14 at 07:49
  • @Rudie Was it solved? I can't solve this problem with the flag. – verystrongjoe Jun 05 '15 at 10:55
  • @verystrongjoe I think that did it, but it's been a while and I have an HTTPS server these days, so don't need the flag anymore. Maybe they've removed it... I'm curious now. Do you have a test page? – Rudie Jun 05 '15 at 17:02
  • @Rudie You MEAN the test page is my application on my google appengine? – verystrongjoe Jun 06 '15 at 00:08
  • 1
    @verystrongjoe I don't MEAN anything. I was asking if there is a testpage I can use to try it out on my machine. – Rudie Jun 06 '15 at 09:59
3

Chrome simply will not load an insecure script in a secure page.

Does your jira.js have to be loaded from a server? The best way to inject it into the page would be by including it in your extension bundle.

var s = document.createElement('script');
s.src = chrome.extension.getURL("jira.js");
s.onload = function() {
    this.parentNode.removeChild(this);
};
(document.head||document.documentElement).appendChild(s);

If you must load it from a server, I suppose your extension could make a XHR request for the script, then inject the response into the page.

// make a XHR request, then...
var s = document.createElement('script');
s.textContent = codeFromXHR;
(document.head||document.documentElement).appendChild(s);
s.parentNode.removeChild(s);
josh3736
  • 139,160
  • 33
  • 216
  • 263
  • Will XHR respect caching? Downloading it again and again is... suboptimal. Can't I just tell Chrome to ignore its stupid security rules?? It's my computer! There must be a flag =( – Rudie Dec 28 '12 at 00:59
  • I don't you're supposed to inject stuff into `document.documentElement` btw... =) Only head and body 'allowed' http://www.w3.org/TR/html401/sgml/dtd.html#html.content – Rudie Dec 28 '12 at 01:05
  • Yes, XHR follows all applicable caching rules the same as the 'regular' browser. You can't simply bypass the security rules -- they wouldn't be providing much security if you could. – josh3736 Jan 04 '13 at 02:59
1

I had the same problem: Our client link a CSS file and js file hosted in our server on a domain which is not secure.

We will solve it by using Amazon CloudFront. They server HTTPS using their certificates which is verified.

That's not a bad solution for use since CDN is often a good idea and these resources are somewhat static. (The CSS file is tailored for each client and is in fact generated but a sane TTL can be configured and the CDN flushed if required)

Note that the CDN solution may even be more affordable than actually buying a certificate depending on your data load.

programaths
  • 891
  • 1
  • 11
  • 23
0

I have faced the same issue and find that if we are logged in to our google account in chrome then Chrome stop loading the insecure content in https.

If we use incognito window in to load the website which has insecure content then it will work.

Amit Garg
  • 3,867
  • 1
  • 27
  • 37