Can HTTP requests be allowed from HTTPS website?
I installed a (no wildcard) SSL certificate so that my site can use HTTPS. When I try to request resources from HTTP urls, I get an error like:
Mixed Content: The page with ' https://example.com/ ' was loaded by HTTPS, but requested an insecure style sheet ' http://resources.example.com/style.css '. This request has been blocked; the content must be transferred over HTTPS.
I understand that this is probably bad practice, according to all the opinions people might have when it comes to mixing http and https, but I only ask for static resources, which I do not consider critical compared to http.
Tried google "allow http requests from https with iis" and the like, but can't find a clear answer. Is there a way to get around this, is it resolvable in the same way as CORS?
Sorry if the question is not very clever and if the answer is obvious, but I am missing some knowledge on when it comes to networking stuff.
source to share
stylesheet ... static resources that I don't consider critical compared to http.
CSS can include script and script can modify the page, therefore considered critical.
... "allow HTTP requests from https with iis" ...
The decision to opt out of mixed content is made in the browser. There is no setting that will allow the browser to include mixed content. The behavior on mixed content differs between browsers and versions, look here for more information from a year ago.
... is it resolvable in the same way as CORS?
The CORS security model takes care of the same origin policy, and the server can decide that another party can fulfill the CORS request. But in this case, the question arises whether the content can be altered in transit by anyone (ie, a man-in-the-middle attack).
source to share