TLS mixed security content status

Here’s a list of screenshots of all the relevant browsers displaying normal valid (DV) certificate-encrypted site:

IE6, IE7, IE8, IE9, IE10, IE11, Win7 Firefox, Win7 Chrome, OS X Chrome, OS X Safari, OS X Firefox, iOS6 Safari, iOS7 Safari, android 4 webkit, android 4 chrome

All of them have a padlock icon of some sort, which tech-savvy users associate with secure connection.

But things change when a browser detects that some content on the https secure page is served from http. The situation when the page is loaded via a secured HTTPS connection but tries to load some resources from an unsecure connection has a special name — ”mixed security content”.

There’s an in-progress spec explaining what should be considered mixed security content and also a W3C recommendation on how agents should behave when they see mixed security content appearing on the page.

With regards to the certificate type, mixed security content case is handled differently for EV and DV (commonly used) certificates:

To illustrate the behaviours of all the modern browsers I prepared a table of testcases and resulting screenshots (older IE6-7-8 behaviour is described below the table):

</tbody>
<tfoot></tfoot>
# resource IE9 IE10 IE11 Firefox 30 Chrome 35 Safari 7
1 Iframe No No No No No Yes
2 Script No No No No No Yes
3 Stylesheet No No No No No Yes
4 Font No No No No Yes Yes
5 js XHR No No No No Yes Yes
6 Flash No No No Yes Yes Yes
7 https flash + http xhr Yes Yes Yes Yes Yes Yes
8 Video Yes Yes Yes Yes Yes Yes
9 Audio Yes Yes Yes Yes Yes Yes
10 Image Yes Yes Yes Yes Yes Yes

General notes:

Test-specific notes:

The tests were done for Google Chrome of version 35, Apple Safari 7.0.5, and Mozilla Firefox 30.

comments powered by Disqus