9

Suppose my website is over HTTPS and I need to load a CSS or Object resource from HTTP, how can I do this?

Please note that I'm able to add Content-Security-Policy to the response headers over the HTTPS websites but I don't exactly know how can I do this. Can someone give me a solution?

Pooja Kedar
  • 439
  • 2
  • 10
  • 23
Afshin Mehrabani
  • 33,262
  • 29
  • 136
  • 201

1 Answers1

13

There is no solution. Modern browsers will deny using non-https resources into pages served by https because you effectively undermine the security model of https this way. CSP will not help because it does not fix the issue. Your only choice is to either serve the site by http or to proxy includes from external non-https sites by your own site. But note that the latter option might affect the security model too, because now these external resources are seen as originating by the same domain as your own content and thus could misuse the same origin policy.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • 1
    As the owner of the website, I should be able to decide whether loading HTTP contents are possible or not. Are you sure there is no solution? – Afshin Mehrabani Feb 14 '15 at 20:18
  • 2
    If you don't need the security offered by HTTPS you are free to provide the full content with HTTP instead. But the idea is that any content included into a HTTPS page hould have the same protection as the page itself, because otherwise it could compromise the security of the page. – Steffen Ullrich Feb 14 '15 at 20:31