Detecting Mixed Content blocking in JavaScript

[basStian]

Hey all,

My team is making an intranet web-app. The company we're working for has several domains inside their intranet. Our site is running in https, while many of the others do not.

The issue is that we want to show pages from some of the insecure servers inside iframes, but Chrome is blocking this. In the console log I see an error about "Mixed Content".

The question is, how can I detect in JavaScript that such a block has happened? The error in the console log doesn't seem to be an exception that I can catch. I want to show a helpful message to the user, instead of just a blank page.

Thanks!

Stian

[PhistucK]

iFrame.addEventListener("error, ...) can tell you there was an error loading the URL. Perhaps it is triggered in these cases as well (though you cannot know whether this is a real server error or a mixed content issue, the protocol of the URL can give you a basic direction).

☆PhistucK

--
--
Chromium Discussion mailing list: chromium...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-discuss

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-discu...@chromium.org.

[basStian]

Hi, thanks for the reply.

Unfortunately this didn't seem to work. 

I tried:

var ifrm = document.createElement("iframe");
ifrm.src = "http://www.vg.no";
ifrm.addEventListener("error", function() {
  alert("error");
});
$("body").append(ifrm);

But no alert appear. And like I said, putting this in a try/catch does nothing either. So it seems like the Mixed Content error is not generated by javascript, but by Chrome itself (which makes sense I guess, since IE will happily show content from insecure resources).

Any other ideas? :)

Stian

[PhistucK]

That is weird. Perhaps this is a bug. I would expect the "error" event to fire for iFrames that try to load insecure URLs in secure pages but are blocked.

I added blink-dev to the discussion.

☆PhistucK

--

[PhistucK]

The content is blocked, this sounds like an error getting the content to me, so it should be an iFrame error.

Anyway, the console shows an error and not a warning, if you meant that.

☆PhistucK

On Thu, Jan 15, 2015 at 4:54 PM, Siva Thumma <siva...@gmail.com> wrote:

It is not error I believe. But rather a "warning".

Sent from iPhone

[PhistucK]

crbug.com/449343

☆PhistucK

On Thu, Jan 15, 2015 at 8:24 PM, Elliott Sprehn <esp...@chromium.org> wrote:

Can you file a bug on http://crbug.com?

[Stian]

Hi again,

I see that the bug is closed with status "WontFix", as the behavior is per spec.

So that still leaves me with the original issue: How do I detect that Chrome has blocked content?

Was thinking I could check the content of the body element in the iframe, but can't do that either because of cross-domain restrictions.

Would appreciate help on this matter, as we need to display a helpful message to the users (they aren't very tech savvy, and even if they were, it's difficult to understand a blank page). I am completely stuck in this matter..

Regards,

Stian

[PhistucK]

What helpful message would that be? "Please, allow mixed content to see the entire content"? This is not helpful, this is dangerous.

☆PhistucK

--

[Stian]

Not when the resources are internal domains within our intranet, which we trust. We know this is isn't optimal, to say the least. The other resources will be converted to SSL in time, but it's out of my teams' hands, so this is just something we have to do for now.

Stian

[PhistucK]

You educate your users that is it fine to allow mixed content. I would not call this a solution.

☆PhistucK

[Stian]

You are completely right, and I agree with you. However, in the current situation there's not much else we can do. Converting the other domains to SSL is beyond our control, as mentioned.

Stian

[PhistucK]

While controversial, you can just use HTTP...

I would not call this a solution, either.

☆PhistucK