Developer Corner - HTTP content on an HTTPS page

04 May 2020 | Developer Corner

Helen Grimbly
  • Tweet this item
  • share this item on Linkedin

This week, Support Lead, Helen Grimbly will be outlining why it is best not to have HTTP content in a secure HTTPS site.

The 'file/html/mixedcontent' diagnostic 

If a page is served by HTTPS and contains a '<script>' or '<iframe>' tag whose content is served by HTTP, this request will be refused by all major browsers, so Sitemorse will flag this up as a Function diagnostic 'file/html/mixedcontent', for example an HTTPS site contains:

<script type="text/javascript" src="http://www.example.com/sample.js"></script> 
<iframe src="http://www.example.com/"></iframe>

Other issues to consider 

If a page is served by HTTPS and contains an '<img>' tag whose content is HTTP, then the image will be shown but most browsers will warn that this content is not secure, for example:

<img src="http://www.example.com/test.jpg" alt="My picture">

If a page is served by HTTPS and contains a '<form>' tag whose data is submitted over HTTP, then most browsers will inform the user that the connection is not secure, and the submitted information could be read by a third party.

<form action="http://www.example.com/login" method="post"> 
  <label>Username: <input type="text" name="username"></label> 
  <label>Password: <input type="password" name="userpass"></label> 
  <input type="submit" value="Login"> 
</form>

Conclusion

If you are intending to create a secure HTTPS page, then it is vital that all the page assets and anywhere form data from the page is sent also use HTTPS connections, otherwise at best your site visitors are presented with alarming warning messages and at worst the page functionality simply won't work at all.