ASP.NET MVC: Returning an unsecured response to a submitted https form on an unsecured page
I have a secure form (action attribute = "https: // ...") on an unsecured (http) page. The goal is to transfer data securely, avoiding warnings about mixed content ("some elements are unprotected") due to the unsecured "Google Maps" element on my page.
When the message is form and succeeds, everything is fine. However, if the form fails, my user is taken to the same page, but now it's all secure (and generates mixed content warnings).
How can I accept secure input from a form and still submit back the same unsecured page if the form fails?
source to share
Having the form rendered on an HTTP page even though the form specifies an HTTPS URL defeats the purpose of SSL. If your form points to HTTPS, it should only be served over HTTPS. Likewise, if served over HTTP, it should only point to HTTP. See this blog for details .
In addition, these "mixed content warning" errors try to prevent additional abuse of SSL by accessing resources outside your control and over an unencrypted channel. Once SSL is breached in this way, an attacker can inject his own Javascript in response, and the fact that your page was SSL encrypted is useless.
In short, make sure using SSL is a solid requirement for your application and remove it if it isn't. Your application configuration today is the security equivalent of serving everything over HTTP. If this is not acceptable, partition your site so that the part of your site that links to Google Maps is not the same part of your site that handles secure transactions.
source to share