33

after upgrading to Safari 9 I'm getting this error in the browser:

[Warning] [blocked] The page at https://localhost:8443/login was not allowed to run insecure content from http://localhost:8080/assets/static/script.js.

Anyone knows how to enable the running of insecure content on the new Safari?

Staelen
  • 7,691
  • 5
  • 34
  • 30
  • btw, to work around this, we are currently serving all the assets via https. but shouldn't Safari allow a way to enable mixed content? no? – Staelen Oct 01 '15 at 09:00
  • 8
    This is extremely frustrating. There are legitimate reasons to need to have a https page that loads something (e.g. an RPC or local service). Apple shouldn't disable behavior without a way to get it back. – Jared Kipe Oct 08 '15 at 18:50
  • Actually this is a reasonable security precaution on apple's part. By allowing mixed content, someone could inject malicious code or snoop on the session (if it were dynamic). If you're worried about the performance impact of using SSL/TLS, just add HTTP/2 support to your server. Benchmarks show a huge performance improvement that makes it as fast as HTTP/1.1 when fetching a lot of assets or ajax from the same domain. – Lucas Holt Nov 25 '15 at 19:47
  • 2
    agree with @JaredKipe - it's especially frustrating where it's a third-party product (we've got a Printer, that services an API via HTTP. It correctly implements CORS). It's simply just a case of "adding TLS" to a server. Safari 9 has now broken existing deployed services. – jrg Dec 15 '15 at 11:36

4 Answers4

3

According to the Apple support forums Safari does not allow you to disable the block on mixed content.

Though this is frustrating for usability in legitimate cases like yours, it seems to be part of their effort to force secure content serving / content serving best practices.

As a solution for you you can either upgrade the HTTP connection to HTTPS (which it seems you have done) or proxy your content through an HTTPS connection with an HTTPS-enabled service (or, in your case, port).

winhowes
  • 7,845
  • 5
  • 28
  • 39
  • The problem with this is that certain services stop working (geolocation) if your HTTPS site links to a single HTTP image or other non "secure" resource. This just made Safari 9 unusable – Jamgold Aug 21 '16 at 20:04
  • @Jamgold disabling services for mixed content or HTTP content, even when it's just an image is a good idea on the part of Apple. Because Safari doesn't know what the site intends to do with the insecure content and a network level attacker is able to manipulate insecure content, allowing any insecure content has the potential to compromise user information exposed through services. – winhowes Aug 23 '16 at 16:11
  • as other users pointed out already, sometimes you can't fix the web server the HTML comes from and other times you have a HTTPS web server with content (images) linked from other sites (the original concept of the web, I believe) and over night Safari broke all of that – Jamgold Sep 27 '16 at 23:47
  • @staelen if this is the right answer would you mind marking it as such? Thanks – winhowes Dec 14 '17 at 23:20
1

You can fix the HTTPS problem by using HTTPS locally with a self signed SSL certificate. Heroku has a great how-to article about generating one.

After setting up SSL on all of your development servers, you will still get an error loading the resource in Safari since an untrusted certificate is being used(self signed SSL certificates are not trusted by browsers by default because they cannot be verified with a trusted authority). To fix this, you can load the problematic URL in a new tab in Safari and the browser will prompt you to allow access. If you click "Show Certificate" in the prompt, there will be a checkbox in the certificate details view to "Always allow content from localhost". Checking this before allowing access will store the setting in Safari for the future. After allowing access just reload the page originally exhibiting a problem and you should be good to go.

This is a valid use case as a developer but please make sure you fully understand the security implications and risks you are adding to your system by making this change!

munsellj
  • 1,587
  • 13
  • 23
0

If like me you have

  • frontend on port1
  • backend on port2b
  • want to load script http://localhost:port1/app.js from http://localhost:port2/backendPage

I have found an easy workaround: simply redirect with http response all http://localhost:port2/localFrontend/*path to http://localhost:port1/*path from your backend server configuration.

Then you could load your script directly from http://localhost:port2/localFrontend/app.js instead of direct frontend url. (or you could configure a base url for all your resources)

This way, Safari will be able to load content from another domain/port without needing any https setup.

Sebastien Lorber
  • 89,644
  • 67
  • 288
  • 419
-1

For me disabling the Website tracking i.e. uncheck the Prevent cross-site tracking worked.

enter image description here

Varun Sukheja
  • 6,170
  • 5
  • 51
  • 93