On an SSL-enabled site, why does some non-SSL content only trigger an alert, whereas other content is blocked?
And is this behaviour consistent across all browsers, or does it vary?
The specific instance I’m thinking of is audio streaming - a non-SSL stream seems to simply trigger a warning but still play, whereas ‘now playing’ scripts (on the same server) are blocked.
UPDATE… I’ve since learned that this is ‘active and passive content’, with scripts being considered ‘active’ and a greater risk - and so are blocked.
Indeed. In fact, depending upon how secured a network is (such as DoD), ANY Javascript in a PDF can be automatically considered malware and be blocked, or at least trigger an alert to a Network Intrusion Detection department.
If the site in question is one that you are designing/developing/maintaining, then may I suggest using protocol agnostic links? For local stuff, you can still use things like “…/scripts/jquery.js”, but anything off domain - remove the protocol and just use //. (ie; “//www.google.com/” as the href or src.)
Well, I can’t speak to the speed of protocol agnostic links, but it’s handy when switching between an http DEV and https PRODUCTION. I’ll have to look up if there are any differences between browsers/platforms.