{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 ゆ 、 Hurt° 的问题《Finding All Insecure Content on a Secure Page》','https://www.manongdao.com/q-1308434.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
What's the most efficient way to find a list of all non-HTTPS URLs requested by an HTTPS page? If this kind of security violation happens, every browser alerts the user, but I can't find an easy way to find what exact URLs cause the violation.
The easiest way I've found so far is to use Firefox, but even then it's still not very convenient. First, I can right-click, select View Page Info, click the Media tab, and scroll through a list of URLs. However, this seems to only list image files, not CSS or JS includes that can also cause the error. For those, I have to use the Firebug extension, select the Net tab, and manually hover my mouse over each item to see the entire URL. Unfortunately, this can take a while if you have dozens of media files. Is there a better way?
Note, in recent versions of Chrome, these errors will be displayed in the Javascript Console.
e.g.
If you own the website, you should look into the
Content-Security-Policyheader options. These can include forcing HTTPS on resources, or automatically attempting to redirect HTTP resources to HTTPS, among other things.Notably, there is also a
report-uridirective for the closely-relatedContent-Security-Policy-Report-Onlyheader that reports any infractions of your CSP to a uri of your choosing. This means that any browser with support1 forreport-uriwill send you reports of pages on your site with problematic HTTPS on an ongoing basis. Mozilla Developer Network has a PHP example of handling the reports.1 Note that if you can reasonably expect any browser with full CSP(RO) support to hit the pages in question, it doesn't matter that some browsers do not have support for it.
If you want a one-shot, reasonably-comprehensive, recursive scan of an entire website, you can use Bramus's
mixed-content-scanfrom the CLI. It won't check links in supplemental JS/CSS, but it's great for finding that one post that the intern from 3 years ago put up with a dangerous non-SSL script.For an ongoing solution, see my other answer.
Recently had the same issue, using chrome developer tool it was easier to find.. In developer tool go to Security tab, you can find all non-https request
You can check https://www.missingpadlock.com/
Is a online tool for crawl your site for find insecure pages.