Use of "reversed" mixed content (serving active and passive HTTPS content to HTTPS website)

86 views Asked by At

I have found a lot of information about serving http content into https websites and what to think of when doing / not doing that.

My problem is slightly different: I want to serve https content from one domain (active and passive) into another http only domain websites, but I can't find any information about browser support for that.

Example:

http://www.mydomain.com

loads scripts and images from

https://www.myotherdomain.com

I have tried this out in Chrome / Firefox and seem to not get any warnings, but wonder what the general browser support out there is. Can I expect this to work anywhere?

1

There are 1 answers

0
Stew Abel On

The reason for mixed content warnings are that when a user is browsing a page over https and it has content embedded which is accessed over http, the user would believe they are on a secure connection but not be aware of the insecure content otherwise. This could be used to trick a user into believing they are secure when actually they are not.

In your case the user would of course only see http, and not see anything to make them believe the connection is secure, this therefore would not be a security concern meaning that browsers will allow this.

The bigger question is why you may want to do this, remember you will not benefit from caching between your server and the client which would increase load on your https server. I'd be tempted to serve a copy of your files over http and only use the ones served over https for pages served over https.