How can I avoid the “This page contains both secur

2019-04-06 17:20发布

问题:

We are thinking to SSL enabled part of our website, but some page contains ads from third party vendor (like Google AdSense).

I'd think this will create a annoying problem for our users since they are going to see warning message like "This page contains both secure and non secure items" when they view a page with ads. However, when I browse to Gmail with https instead of http, I don't see that warning in firefox.

Does anyone know how Gmail hide this?

回答1:

some page contains ads from third party vendor (like Google AdSense)

Then the browser is right — that isn't secure.

With AdSense and most other ad networks you are given a link to JavaScript. When you refer to any external <script>, you are giving complete trust over the contents of your page to the external script provider. You need to trust them to do only what they say they're going to do (show an ad), and not something nefarious like take over the login form from the page it's on and steal values you type into it, or, if the “ad” script were included on your bank account page, automatically empty out all your money.

So external scripts are a trust problem, but if you are using a vendor that provides an HTTPS interface to their ads, then at least it's only one known party you have to trust. If the ad provider only has an HTTP interface, then you're sending out your trust to anyone who can grab control with a man-in-the-middle or similar attack. You are effectively reducing the trust level of your entire page to that of plain unencrypted HTTP, so the browser is quite correct to complain that the page isn't actually any more secure than any old HTTP site.



回答2:

Google's documentation indicates this is a known issue and does not offer a workaround: https://www.google.com/adsense/support/bin/answer.py?answer=10528



回答3:

if you are trying to include non-secure content and have control over what is displayed, you could write a handler that takes a url as a parameter.

As the handler is hosted in SSL it can fetch the html, and stream it out back to the browser through SSL. in effect its acting as a small proxy for you.

I've done this for a number of projects in the past to get to files from within a network without exposing the actual network itself.

using the information here: http://www.csharp-station.com/HowTo/HttpWebFetch.aspx you could easily adapt it to take a parameter (the actual url you want to fetch)...

so in your rendered page you would call https://my.domain.com/pages/HttpWebFetch.aspx?url=http://ads.google.com/ the HttpWebFetch.aspx would then retrieve and relay the page content over https thereby removing the secure/insecure warnings.



回答4:

Since this is the answer for Analytic you can use this to not show ads on your secure pages

if ("http:" == document.location.protocol) { /*show your adds here*/ }

I got this idea from how I do analytics on my sites

<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>

I admit this means you can't show ads on your secure pages, but you probably don't want Google reading your secure pages contents and showing ads anyways. (That is a cop out and making excuses for Google, but as mentioned, they just don't support it)

To answer your GMail question... (using Firebug here, so I could be interpreting this wrong)

  1. I login to gmail with the always secure connection. No ads.
  2. I turn on the console to see what connections gmail makes.
  3. I clear the console
  4. I click a message that has ads shown to the right.

Gmail only made two calls. First a get to https://mail.google.com that I am guessing is my email. The second was a POST to https://mail.google.com/mail/channel/

I am guessing (everybody else correct me) Gmail requests a post from a proxy that serves the ads.

GMail sends content to proxy, proxy gets ads, proxy sends content back to Gmail. All securly.

TOTAL GUESS THERE

Thanks for the downvote but no explanation about what wasn't helpful



回答5:

"Does anyone know how Gmail hide this?"

Short answer: they use https to fetch the ads. Looking through the Net tab in Firebug for GMail's page load I see the ads that are on the page in a request with the URL https://mail.google.com/mail/?ui=2&ik=bbff8a9f5c&view=ad&ak=is00jux7yq7kgk730lqdkxklz03d9d8 so it looks like they do have a way to serve ads over https but only for their own sites.



回答6:

After changing all my http:// to https:// (or relative) I was still having this problem, in the end I realized it was due to caching. I refreshed my browser cache and it was fine. Also, it seems like your links (a href=whatever) can be http, this is might be obvious to most but I wasn't sure at first :)