Web Browser Mixed Content

What is Mixed Content?

Mixed content is non-secure web content (HTTP content) included on a secure web page (HTTPS content).  This includes links, scripts, embedded items, and other web content.  Several web browser companies have recently released new versions of their web browsers that block mixed content.

Why block Mixed Content?

When you visit a page served over HTTPS, your connection is authenticated and encrypted and hence safeguarded from eavesdroppers and man-in-the middle attacks.  However, if the HTTPS page you visit includes HTTP content, the content from the embedded HTTP source is not encrypted and it is not secure.  This can be particularly dangerous if the embedded content contains a form asking you for information, as it may look like you are entering your information into a secure form, when in fact it would be sent in plain text back to the server hosting that embedded page. 

In the past, web browsers displayed warning messages about mixed content to remind users of the security risks.  However, these messages were often ignored by users, so web browser companies have begun establishing more restrictive rules that block insecure embedded pages on secure (HTTPS) pages.

Why does the Web Content tool in T-Square no longer work?

Due to the way the Web Content tool was originally designed, all external pages are opened inside of a page that originates from T-Square as an HTTPS page, even when you select the option to have the remote page open in a new window.  Thus, when you setup a Web Content tool to point to a website that is not accessed via a secure connection (i.e. is not HTTPS), many recent browsers will flag this as insecure mixed content and block the remote page from loading. 

Please note that no web browser will block an embedded remote page that is opened on a secure (HTTPS) connection.  Also on note is that a new Web Content tool is being developed by the software community that supports the Sakai software that T-Square is based on, but we do not have a timeline yet on when that new tool will be ready for production use.

Which web browsers block the Web Content tool in T-Square?

Currently, Chrome (~v24+), Firefox (v23+), and Internet Explorer (v10+) but others may follow suit in the upcoming months.

If I use one of these browsers, is there a way to display a web page linked via the Web Content tool at all?

Yes, each browser offers a per-page option to allow mixed content.  Unfortunately, neither browser lets you save this selection, so you will have to re-allow the external page every time you use that Web Content tool link.

  • Chrome

    When a web page is blocked, a grey shield icon appears at the right end of the address bar.  To get the page to load, click on the shield icon, and then click on the button Load unsafe script.

    Example of shield icon in Chrome

  • Firefox

    When a web page is blocked, a grey shield icon appears at the left end of the address bar.  To get the page to load, click on the shield icon, then click on the drop-down arrow next to Keep Blocking, and select the option Disable Protection on This Page.

    Example of shield icon in Firefox

  • Internet Explorer 10

    When a web page is blocked, Internet Explorer will display a banner bar across the bottom of the page and ask you if you want to display the blocked content.  Simply select Show All Content to get the page to display.

Where can I find more information about Mixed Content?

The Mozilla Blog has a nice post with even more detail about types of mixed content, why it is dangerous, and how mixed content blocking in Firefox works.