javascript - Can "Show Insecure Content" Browser Prompt Be Detected? - Stack Overflow

admin管理员组

文章数量:1325332

We are all familiar with the problem of mixed scheme (http / https) content on a page.

I'm working on a site on which this is unavoidable. I do not want to prevent this. I know there are a ton of questions / answers on that.

What I need is simply to detect this (via JavaScript?) so I can tweak the page behavior (show a notice of degraded behavior or something). Any help?

We are all familiar with the problem of mixed scheme (http / https) content on a page.

I'm working on a site on which this is unavoidable. I do not want to prevent this. I know there are a ton of questions / answers on that.

What I need is simply to detect this (via JavaScript?) so I can tweak the page behavior (show a notice of degraded behavior or something). Any help?

• javascript
• security
• ssl
• web

Share Improve this question Follow asked Aug 30, 2012 at 19:01 Michael KennedyMichael Kennedy 3,38022 gold badges2727 silver badges3636 bronze badges 7

• 1 I don't think I understand? You are serving up a page with mixed content but don't know it? How would you not know if the page contains unsecure content? Are you not the site serving the page up? – Brad Cunningham Commented Aug 30, 2012 at 19:28
• 1 Hey Brad! I'm serving up a page which has an iframe with variable content in it. So <iframe src="SOME_RANDOM_WEBSITE" />. I don't control the value of SOME_RANDOM_WEBSITE which can be http. That's fine, but I want to make sure the user knows they are missing what's in the iframe until the press 'show all content'. Make sense? – Michael Kennedy Commented Aug 30, 2012 at 19:35
• So you are saying you want to append some information to the native security alert saying, "This is what you are missing" ? not append literally but someway through js alert etc. – Prasanth Commented Aug 30, 2012 at 19:45
• Hi goldenparrot. No, not exactly. Just another element in the page saying "please allow unsecured content to fully use this page". – Michael Kennedy Commented Aug 30, 2012 at 19:48
• Keep in mind that the "show all content" option may not exist in some current or future browsers. For instance, some mobile browsers may not have such an option, and Chrome is moving in the direction of removing it. – user149341 Commented Aug 30, 2012 at 20:24

 |  Show 2 more ments

2 Answers 2

Sorted by: Reset to default 5

Using jQuery you can find out if any insecure items are present on a page using the following piece of code:

var flag = false;
if($("script[src^='http:']").length > 0
    || $("link[type='text/css'][href^='http:']").length > 0
    || $("img[src^='http:']").length > 0
    || $("iframe[src^=http:]").length > 0)
    flag = true; // insecure content :(
else
    // yay!

Images, JS, CSS are all the insecure content that I could think of. Perhaps there are more, but you could easily add'em up as you find.

It's hacky, but I managed to fix this in all browsers with just JavaScript. Let me see if I can sketch it out.

We have this basic encrypted page:

<html> 
   <body>
        <div> stuff </div>
        <iframe src="URL_WHICH_IS_MAYBE_INSECURE"></iframe>
   </body>
</html>

When URL_WHICH_IS_MAYBE_INSECURE is https, all is good. But when URL_WHICH_IS_MAYBE_INSECURE is http, IE will not load the content unless the user OK's insecure/mixed content. I want to tell the user the page is kinda busted until they click allow. For reasons I can't go into, I know all the sites are trustworthy. Just some of them do not support SSL and the parent site needs to.

AFAIK, I cannot detect this dialog / semi-loaded state with JS. But what I can do is run JS over an insecure connection IF they allow it (which also makes the iframe go). So only when URL_WHICH_IS_MAYBE_INSECURE is http & the site is https (mixed) I add two bits of code + HTML.

<html> 
   <body>
        <div> stuff </div>
        @if(needSpecialHandlingForMixedMode) {
            <div id="secureWarn">
                 WARNING: This page has limited functionality, allow mixed content
             </div>
        }
        <iframe src="URL_WHICH_IS_MAYBE_INSECURE"></iframe>
   </body>

   @if (needSpecialHandlingForMixedMode)
   {
      string baseUrl = Request.Url.SchemeAndHostAndPort().Replace("https", "http");
      <script src="@baseUrl/scripts/security-warning.js"></script>
   }
</html>

and the script is

$(document).ready(function(e) {
    $("#secureWarn").remove();
});

So it works like this.

1. If mixed-mode both the iframe and script will only load if the user allows it. This is not allowed by default in IE and is allowed by default in Chrome & FireFox.
2. If they do nothing (don't allow in IE, for example), it will keep the warning div visible.
3. If they do click it, the iframe loads, and now the script also runs (because it was insecure back to my server), this removes the warning from the page.
4. Happiness mences...

Hope this helps someone.

Cheers, Michael

本文标签： javascriptCan quotShow Insecure Contentquot Browser Prompt Be DetectedStack Overflow