Secure Pages Include Mixed Content Issue
Discovered by hamad_iheb on Eobotcom

This issue took No information to triage and 14 Days and 3 hours to resolve once triaged.



Description

The page includes mixed content, that is content accessed via HTTP instead of HTTPS.

Steps

1) Enter these two URLs

2) Open Source Code viewer You will note and Mixed Content Error.

Fix

  • A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS. The page must not contain any content that is transmitted over unencrypted HTTP. This includes content from third party sites.

Reference Report

https://hackerone.com/reports/146707 https://hackerone.com/reports/207329

Impact

  • An attacker must be suitably positioned to eavesdrop on the victim's network traffic. This scenario typically occurs when a client communicates with the server over an insecure connection such as public Wi-Fi, or a corporate or home network that is shared with a compromised computer. Common defenses such as switched networks are not sufficient to prevent this. An attacker situated in the user's ISP or the application's hosting infrastructure could also perform this attack. Note that an advanced adversary could potentially target any connection made over the Internet's core infrastructure.