admin管理员组文章数量:1326072
We are all familiar with the problem of mixed scheme (http / https) content on a page.
I'm working on a site on which this is unavoidable. I do not want to prevent this. I know there are a ton of questions / answers on that.
What I need is simply to detect this (via JavaScript?) so I can tweak the page behavior (show a notice of degraded behavior or something). Any help?
We are all familiar with the problem of mixed scheme (http / https) content on a page.
I'm working on a site on which this is unavoidable. I do not want to prevent this. I know there are a ton of questions / answers on that.
What I need is simply to detect this (via JavaScript?) so I can tweak the page behavior (show a notice of degraded behavior or something). Any help?
Share Improve this question asked Aug 30, 2012 at 19:01 Michael KennedyMichael Kennedy 3,3802 gold badges27 silver badges36 bronze badges 7- 1 I don't think I understand? You are serving up a page with mixed content but don't know it? How would you not know if the page contains unsecure content? Are you not the site serving the page up? – Brad Cunningham Commented Aug 30, 2012 at 19:28
-
1
Hey Brad! I'm serving up a page which has an iframe with variable content in it. So
<iframe src="SOME_RANDOM_WEBSITE" />
. I don't control the value ofSOME_RANDOM_WEBSITE
which can be http. That's fine, but I want to make sure the user knows they are missing what's in the iframe until the press 'show all content'. Make sense? – Michael Kennedy Commented Aug 30, 2012 at 19:35 - So you are saying you want to append some information to the native security alert saying, "This is what you are missing" ? not append literally but someway through js alert etc. – Prasanth Commented Aug 30, 2012 at 19:45
- Hi goldenparrot. No, not exactly. Just another element in the page saying "please allow unsecured content to fully use this page". – Michael Kennedy Commented Aug 30, 2012 at 19:48
- Keep in mind that the "show all content" option may not exist in some current or future browsers. For instance, some mobile browsers may not have such an option, and Chrome is moving in the direction of removing it. – user149341 Commented Aug 30, 2012 at 20:24
2 Answers
Reset to default 5Using jQuery you can find out if any insecure items are present on a page using the following piece of code:
var flag = false;
if($("script[src^='http:']").length > 0
|| $("link[type='text/css'][href^='http:']").length > 0
|| $("img[src^='http:']").length > 0
|| $("iframe[src^=http:]").length > 0)
flag = true; // insecure content :(
else
// yay!
Images, JS, CSS are all the insecure content that I could think of. Perhaps there are more, but you could easily add'em up as you find.
It's hacky, but I managed to fix this in all browsers with just JavaScript. Let me see if I can sketch it out.
We have this basic encrypted page:
<html>
<body>
<div> stuff </div>
<iframe src="URL_WHICH_IS_MAYBE_INSECURE"></iframe>
</body>
</html>
When URL_WHICH_IS_MAYBE_INSECURE
is https, all is good. But when URL_WHICH_IS_MAYBE_INSECURE
is http, IE will not load the content unless the user OK's insecure/mixed content. I want to tell the user the page is kinda busted until they click allow. For reasons I can't go into, I know all the sites are trustworthy. Just some of them do not support SSL and the parent site needs to.
AFAIK, I cannot detect this dialog / semi-loaded state with JS. But what I can do is run JS over an insecure connection IF they allow it (which also makes the iframe go). So only when URL_WHICH_IS_MAYBE_INSECURE
is http & the site is https (mixed) I add two bits of code + HTML.
<html>
<body>
<div> stuff </div>
@if(needSpecialHandlingForMixedMode) {
<div id="secureWarn">
WARNING: This page has limited functionality, allow mixed content
</div>
}
<iframe src="URL_WHICH_IS_MAYBE_INSECURE"></iframe>
</body>
@if (needSpecialHandlingForMixedMode)
{
string baseUrl = Request.Url.SchemeAndHostAndPort().Replace("https", "http");
<script src="@baseUrl/scripts/security-warning.js"></script>
}
</html>
and the script is
$(document).ready(function(e) {
$("#secureWarn").remove();
});
So it works like this.
- If mixed-mode both the iframe and script will only load if the user allows it. This is not allowed by default in IE and is allowed by default in Chrome & FireFox.
- If they do nothing (don't allow in IE, for example), it will keep the warning div visible.
- If they do click it, the iframe loads, and now the script also runs (because it was insecure back to my server), this removes the warning from the page.
- Happiness mences...
Hope this helps someone.
Cheers, Michael
本文标签: javascriptCan quotShow Insecure Contentquot Browser Prompt Be DetectedStack Overflow
版权声明:本文标题:javascript - Can "Show Insecure Content" Browser Prompt Be Detected? - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1742195932a2431079.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论