• towerful@programming.dev
    link
    fedilink
    arrow-up
    3
    ·
    1 year ago

    Even if a website has HTTPS, it’s not entirely uncommon for some resources to be loaded over regular HTTP

    I think all browsers will refuse to load a resource over HTTP if the website is served over HTTPS.

    • Chobbes@lemmy.world
      link
      fedilink
      arrow-up
      4
      ·
      1 year ago

      This is not true. Browsers will happily use http even if https is available, and without other mitigations like HSTS or DANE there is no way for your browser to even know that a site supports https. Many websites will forcibly redirect you to https, but this is the server telling you “hey connect with https instead”. A man-in-the-middle can simply not tell you to use https. Browsers have started marking http sites as insecure and will warn you about sending passwords, however.

      • towerful@programming.dev
        link
        fedilink
        arrow-up
        4
        ·
        1 year ago

        I think I phrased it wrong, or there is a confusion with terms.
        If a page is loaded with HTTPS, then images/CSS/JS/iFrames (resources) will not load over HTTP. The resources also have to be served via HTTPS.
        If a page is loaded over HTTP, then resources (images/CSS/JS/iFrames) can be loaded over HTTPS.

        My objection was to the “even if a server has HTTPS, some resources will still load over HTTP”

        • Chobbes@lemmy.world
          link
          fedilink
          arrow-up
          4
          ·
          1 year ago

          As far as I know, this is not strictly true either. I believe most browsers currently block mixed active content like JavaScript or iframes, but will happily load images and such over HTTP (although I would not be surprised if this is changing).