Handling of non-ssl content on SSL site?


On an SSL-enabled site, why does some non-SSL content only trigger an alert, whereas other content is blocked?
And is this behaviour consistent across all browsers, or does it vary?

The specific instance I'm thinking of is audio streaming - a non-SSL stream seems to simply trigger a warning but still play, whereas 'now playing' scripts (on the same server) are blocked.

UPDATE... I've since learned that this is 'active and passive content', with scripts being considered 'active' and a greater risk - and so are blocked.


Indeed. In fact, depending upon how secured a network is (such as DoD), ANY Javascript in a PDF can be automatically considered malware and be blocked, or at least trigger an alert to a Network Intrusion Detection department.

If the site in question is one that you are designing/developing/maintaining, then may I suggest using protocol agnostic links? For local stuff, you can still use things like "../scripts/jquery.js", but anything off domain - remove the protocol and just use //. (ie; "//www.google.com/" as the href or src.)


^ _ ^




I've also noticed how various browsers differ in how they treat such things - some still display the padlock, and other don't.

I'd seen 'agnostic' links, but hadn't understood them... and now see the benefit (and potential disadvantages - slower than HTTP/2).


Well, I can't speak to the speed of protocol agnostic links, but it's handy when switching between an http DEV and https PRODUCTION. I'll have to look up if there are any differences between browsers/platforms.


^ _ ^