background

One afternoon, the business side reported that there was a blank screen when using our platform, and the page could not be loaded normally.

System A loads system B with iframe. Page B cannot load properly on a user’s computer.

Location: Check the user’s computer and find that there is an error, mainly a Mixed Content error

The page at https://xxx.xxx.com was loaded over HTTPS but request an insecure resource http://xxx.xxx.com. This request has been blocked. The content must be served over HTTPS
Copy the code

Is a common mixed content error.

There should be a picture of this place, but there isn’t. , is probably such a problem, the final reason is that page B is connected to SSO login; But it is accessed using HTTP protocol; In this case, when the user opens page B in the state of login failure, he will jump to SSO page first. However, since page A uses HTTPS protocol and SSO page uses HTTP protocol, Mixed Content error will be triggered.

Therefore, this paper simply records the knowledge related to mixed content.

Mixed Content

The initial entry HTML page is loaded using HTTPS, but the embedded resources (JS, CSS, IFrame, images, videos, etc.) are loaded using HTTP, which is called mixed content

Modern browsers display warnings for this or simply block the resource from loading.

Mixing content types with associated threats

Passive mixed content

Resources that do not interact with other content on the page, such as images and videos;

The relative threat is relatively small, the attacker can operate limited

Active mixed content

Resources that need to interact with other content on the page, such as executable JS scripts, CSS, IFrame, and Flash resources

Correlation is more threatening because an attacker can do anything with the page

Mixed Content is used to handle situations where the same page resource uses a different version of the protocol; Related to this is another policy used to control different protocol situations: HSTS.

HSTS

HTTP Strict Transport Security: indicates Strict HTTP Transport Security

Force the client to communicate with the server using HTTPS,

When the client communicates with the server for the first time using HTTPS, the server adds a Strict- transport-security field to the response header. For example:

Set the following on the response header for example.com:

Strict-Transport-Security: max-age=31536000; includeSubDomains
Copy the code

This means:

  1. For the next year, browsers will have to use HTTPS when making web requests to target websites and their subdomains;
  2. If the server certificate expires within the specified period, users cannot continue to access the server regardless of the browser alarm

HSTS VS Mixed Conetent

HSTS and Mixed Conetent are unrelated Settings

When the server activates HSTS, the browser forces HTTPS when accessing the target server using HTTP, and this behavior begins after the server activates HSTS after the first interaction, triggering any subsequent resource requests (XHR, static resources, etc.) to the target server

Mixed Conetent is a security policy built into advanced browsers and has nothing to do with other Settings; In addition, different operations such as “warning only” or “block resources” can be performed according to the threat level. For all third-party resources loaded on the page. (Generally, block JS scripts, iframe, etc.; – Only Warnig tooltip for img

Also, the ==mixed Conten block operation occurs before the == HSTS.

It means that if you open an IFame page using HTTP in an HTTPS page, the mixed Content blocking error will directly cause the IFrame page cannot be opened, and the protocol conversion step of HSTS will not be reached.

The resources

HSTS&Mixed Content