Insecure content on HTTPS page - javascript

I have a dev site set up that's running under a fake HTTPS, it has a certificate however Chrome says its invalid because of the domain. My real site has a real certificate however, and I'm wondering if that HTTPS connection will break because of some insecure content on my page.
I'm using Brightcove as a 3rd party video host and when using their embed code, I get these types of errors in the Chrome developer console on my dev site:
The page at https://my.website.com/ displayed insecure content from http://c.brightcove.com/crossdomain.xml.
If I deploy the development version to my live site, will it break the HTTPS seal in the address bar of browsers? HTTPS is very important for my customers so I'd rather not deploy it and just see what happens.
Unfortunately Brightcove doesn't have "true" HTTPS support, it's either get these errors or the video doesn't work. :/
Also, the video is being loaded via JavaScript if that matters.
Thanks!

If you include content from insecure sources (http), the seal will break. it's still safe but it won't be shown as prominent as on a page with only secure content inclusion.

Related

Block specific browser without using User-Agent

React app. I want to block specific browser (Kiwi Mobile) from my site. But i can't use User-Agent header, because people, who using site also using chrome extension, which change User-Agent in requests. So, is there any other ways to get browser info?
I tried to detect extension, but it works like a VPN extension: intercepts requests and then send changed data to my servers. I blocked an extension IP in Cloudflare, but it works only for a week, then they start using proxy servers, and detect all proxy servers is nearly impossible.
I need to block using this browser by React app (just not load the page if it is a kiwi browser). Or maybe, block it by cloudflare, if it's possible

Chrome Extension to solve Mixed Content?

I would extremely appreciate some help with the following issue:
I have a payment web app hosted in IIS and configured for SSL. I need to integrate a POS terminal (or pin-pad) with a static IP that's not SSL compatible. I can talk to it running the site without SSL (HTTP to HTTP), but not HTTPS to HTTP - obviously getting "Mixed Content ..." error as Chrome doesn't allow that. I don't need to care about other browsers, but I can't run my site HTTP and as mentioned terminal doesn't support HTTPS.
Now, before you mark it as duplicate - I've read:
sending request from https to http from chrome extension,
Chrome extension - Disable Blocking of Mixed Content
Since v38, Chrome extension cannot load from HTTP URLs anymore, workaround?.
And it looks like Chrome extension might provide a solution. I don't have any experience with Chrome extensions though, but comfortable with JavaScript. I would prefer to avoid chasing something that would result in a dead-end. So, my question is - am I on the right path? If so, how do I go about implementing this? How do I go about delegating the ajax post call to the extension?
Any thoughts, ideas, tips, suggestions would be highly appreciated!
If you are going to use chrome-extension, do you want everyone who visits your payment site install the extension first? If the answer is yes, then sure, chrome-extension can help with that. Take at the following guide:
Cross-Origin XMLHttpRequest, it tells you that background page can send request to http site, even if current page is https
chrome.webRequest.onBeforeRequest, it tells you that you could redirect a http(s) request.

Chrome Apps like Advanced Rest Client can set the Referrer header while websites can't

Chrome Apps like Advanced Rest Client and PostMan etc. can successfully set the Referrer header of an Ajax request whereas websites are not allowed and the browser resets them before sending the request. Why and how are the chrome apps and extensions allowed to do that and not the websites
An extension is a piece of software that has to be installed by the owner of the browser. It is trusted.
JavaScript running on a website only needs the owner to visit the website in order to execute in the browser. It is not trusted so gets many more limits placed on what it can do.

Hosting the Page in IFRAME inside chrome extension whose X-FRAME is set to DENY or SAME ORIGIN

I was trying to host a web page in the chrome extension popup and was hitting error X-FRAME options set to deny or SAME ORIGIN. As an alternative approach I opened up the page in new chrome browser instance and injected the script into it so that i can send the message from the page to content script and then back to my popup page once the work is done in the new window . UI experience of this approach does not look good and hence wanted to go via Iframe route. My extension has all url permissions in manifest.xml
Can someone suggest the right approach by which we can host a web page in IFRAME in chrome extension popup and get around the deny and SAME ORIGIN. Also will this be correct with respect to security .
I came across this unanswerd blog but seems to me a hack. Hence wanted to get clarity on chromium - extension forum.
Getting around X-Frame-Options DENY in a Chrome extension?

Safari SSL certificate issue and external javascript

My site is running on SSL. On one of the pages I am calling an external javascript required for integration of Birt iHub into our application. The iHub application is running separately on of o our servers and javascript also resided in same application. Now when I try to acces the javascript without SSL it is blocked as my site is running on SSL. So I also put the iHub app on SSL so tha my website communcate with javascript over SSL. Now it works fine for both Chrome, Firefox and IE but in case of Safari it worked for few days then suddely an SSL error shows up. I have delete the SSL certificates from cache and the access the site again and IT worked again but afeter some days same issue occurs. AndI have to delte it again to make it work.
Can anyone tell me whay this is happening and what could be done to avoid this

Categories

Resources