0

I'm having a website which a part of HTML is loaded from external, in this part, they defined some resource such as javascript or css and these resources will be a part of my website (for stylesheet or javascript interaction)

Unfortunately, my owned website is running under a HTTPS, and external part contains some resources under HTTP, it's not good practice because inside a HTTPS page, there are no insecure content allowed. I don't have right to change everything in external to https, so I have to give a solution for this issue, something I was thinking about that is building an engine for parsing all external content, and change all links in http to valid URL, however there are several issues because I don't know what content contained within it.

If you were me, what solution should be given?

Cœur
  • 37,241
  • 25
  • 195
  • 267
Khoi Nguyen
  • 1,072
  • 2
  • 15
  • 32
  • Possible duplicate http://stackoverflow.com/questions/18327314/how-to-allow-http-content-within-an-iframe-on-a-https-site/25189561#25189561 – Matthew Peters Aug 07 '14 at 18:50

1 Answers1

0

Personally... I wouldn't use off-site content that i don't control on a page worthy of ssl-encryption (aka could be made malicious by a hacker or annoyed dev).

However, if you must do it, then your only option is some sort proxy, that parses the off-site content before being loaded into your page. If it's static, or at least doesn't change on every request, you could cache it to improve load times and save parsing it on every request.

That is of course assuming the off-site content cannot be made to use https anyway (can you just pass //offsite-com/script.js instead and the off-site content auto-detect whether to return any url's as https

Lee
  • 10,496
  • 4
  • 37
  • 45
  • Thanks Lee, you mean we'll cache the content and process it before, right? however, I think we will have to build an HTML engine like a browser. Because if in the external, they provide a stylesheet file with some links to insecure images, we are unable to know that without trying to render the content first – Khoi Nguyen Sep 10 '13 at 16:16
  • Without knowing the exact external content and how it's used, it's hard to provide an good answer as its a fairly specific problem to your scenario. In most cases, if you link to the stylesheet via https, you should be fine as stylesheets tend to use relative url's to resources, but thats not always the case, so once again, its dependant on the specifics of your situation – Lee Sep 10 '13 at 16:19
  • The content from external site are totally trusted, however I have no right to change anything on it, I know that there are some links to image inside stylesheet file and have to change it to something which valid. – Khoi Nguyen Sep 10 '13 at 16:28
  • This cant be solved by using iframe to show the external content? – Mr Zach Jan 03 '19 at 05:57