Mixed content in Chrome and IE

Question

In my HTTPS enabled site I have added an iframe that should show content from my other site, but it is not working under https.

<iframe  src="//myothersite.com"></iframe>

In Firefox latest version everything works good.

In Chrome, the iframe isn't loaded and in the console I see these two errors

Mixed Content: The page at 'https://mysite' was loaded over HTTPS, but requested an insecure resource 'http://myothersite.com'. 
This request has been blocked; the content must be served over HTTPS.
Failed to load resource: net::ERR_CACHE_MISS

In IE content load incorrectly and I see an alert message; if I click Allow Insecure Content, it loads correctly.

The question is: how I can do that IE and Chrome as in Firefox (load mixed content without any alerts)?

Note: I haven't changed any browser settings.

score 18 · Accepted Answer · answered Dec 12 '14 at 13:21

18

Actually Firefox has started to do the same: How to fix a website with blocked mixed content

It makes sense. If the user access a site using HTTPS is expecting to have a secured experience, and he may not be aware of parts of the application loading under not secure connections. That is the reason why the browser blocks such inconsistency.

You will need to provide HTTPS on myothersite.com.

answered Dec 12 '14 at 13:21

vtortola

34,709
29
161
263

Ok,It make sence if myothersite.com is not my site.But myothersite.com is my site and I can quarantee secure.I thinck browsers should provide such functionality – vborutenko Dec 12 '14 at 13:25
You cannot guarantee anything. If the connection is not secure, anybody in the middle can eavesdrop the connection. IFRAMEs are like another browser tab, they use their own connection, and in this case it is insecure. – vtortola Dec 12 '14 at 13:32
i agree,but why firefox allow using insecure without any alerts? – vborutenko Dec 12 '14 at 13:49
Firefox's mistake. In the link I provided it says it is blocking mixed content from v23. – vtortola Dec 12 '14 at 14:39

JisuKim82 · Answer 2 · 2015-07-05T03:47:50.903

10

Obviously it's best not to have mixed content to prevent MITM attacks but for those who can't control the url this should do the trick:

Change the src="http://linkToUrl.com" to

src="//linkToUrl.com/script.js"

edited Jul 05 '15 at 03:47

answered Jul 05 '15 at 03:37

JisuKim82

349
2
9

11

That wont solve the problem that sub http request send by the `script.js`. Add this ``. – towry Nov 02 '16 at 05:05
A combination of using src="//linkToUrl.com/script.js" and adding the suggested meta tag @towry has here solved the issue for me. I believe this is the best answer here. – K8sN0v1c3 Feb 27 '19 at 00:33
where do i have to configure this thing? – S Gaber Nov 27 '20 at 01:40
save my day @JisuKim82 – Shurvir Mori Dec 21 '21 at 11:43
At least in Chrome, this only results in an https request being made. It will work if the source is able to serve the content via https, but then you might as well just specify https – James Newton Aug 15 '23 at 22:07

Python Basketball · Answer 3 · 2016-03-08T02:48:47.533

enter image description here

when i set the url : <a href="http://127.0.0.1:8080/download/1.txt"></a> from a https request, it report error : Mixed Content: The page at 'https://127.0.0.1/index.html' was loaded over HTTPS, but requested an insecure resource 'http://127.0.0.1:8080/download/1.txt'.

This request has been blocked; the content must be served over HTTPS.
Failed to load resource: net::ERR_CACHE_MISS

when i added the target="_blank" to the url: <a target="_blank" href="http://127.0.0.1:8080/download/1.txt">, it works! , it works! it's well known that target="_blank" means opening the linked document in a new window or tab or a new request!

this is in the iframe! – Python Basketball Oct 21 '15 at 02:56 — Python Basketball, Oct 21 '15 at 02:56

score 1 · Answer 4 · answered Nov 20 '16 at 00:59

1

I'm sorry this isn't as technical as the other answers, but I had the same problem linking jsquery like this, and for me it fixed just by changing http:// to https://. It may not work, but it worked for me and it might work for you.

answered Nov 20 '16 at 00:59

RallozarX

11
1

score 0 · Answer 5 · answered Mar 29 '18 at 16:40

0

I'm having other complication with CloudFlare, it doesn't load as the file has been cached as http. Just go to CloudFlare and "Purge Everything" in cache tab, or else turn on "Development Mode".

answered Mar 29 '18 at 16:40

morph85

807
10
18

score -1 · Answer 6 · answered Jul 19 '17 at 10:16

-1

Problem is mixed content, the browser won't allow us to just do that.

You need change url from:

http://example.com

to

//example.com

answered Jul 19 '17 at 10:16

Prais

907
9
14

3

This only works if `example.com` is set up to accept HTTPS requests. It's pretty much the same thing as changing it from `http://example.com` to `https://example.com`. If one fails, they both will. – UncaAlby Jan 06 '20 at 16:52

Mixed content in Chrome and IE

6 Answers6

Linked