Browser security when calling HTTP assets via a SWF on a HTTPS site

Posted by Mark Ursino on Stack Overflow See other posts from Stack Overflow or by Mark Ursino
Published on 2010-04-07T23:10:41Z Indexed on 2010/04/07 23:13 UTC
Read the original article Hit count: 385

Filed under:
|
|
|
|

We have a site that runs on HTTPS and needs to pull in various JS assets to run a video player on the page. We get a browser security warning on this page because the JS files we are externally calling are being accessed via HTTP, not HTTPS. E.g.

// HTTP reference on a HTTPS site
<script src="http://the-cdn.tld/player.js"></script>

Simply accessing this one JS assets via HTTP and not HTTPS will cause the browser security warning which we need to get rid of. The provider of the JS file does not support an HTTPS equivalent (like Google Analytics does). We would ideally love to just do the following, but the provider does not have this:

// HTTPS reference on a HTTPS site
<script src="https://the-cdn.tld/player.js"></script>

One option we had was to just download a copy of the JS file and serve it on the HTTPS site, however we have concerns with this as it is not recommended by the provider and will not include updates from them. Assuming we cannot do that, we were thinking a possible other option would be to use a SWF file as a proxy.

We were thinking that we could have one of our flash guys create a SWF that loads in the HTTP-served JS file to the page. We were wondering that if this SWF makes the request, would that prevent the browser from showing the security warning or not? I assumed that we would still see the warning since the SWF is still making the request through the browser, but I wanted to see what the hive mind thinks.

© Stack Overflow or respective owner

Related posts about https

Related posts about swf