How to force loading dynamic, insecure content in Chrome?
Asked Answered
Q

4

22

I'm using Jira in https and I have some adjustments I'd like to make with some extra JS. My JS is hosted on an insecure server (no https available).

When I dynamically load the insecure JS file by inserting it into the DOM (using a browser extension), Chrome tells me:

[blocked] The page at https://jiraserver/browse ran insecure content from http://myserver/jira.js.

I can see how this is very secure and all, but I don't care. I want to load that insecure JS file. How can I tell Chrome to trust me and just do what I say?

My insertion method (in the extension code):

document.body.appendChild((function(s){s.src='http://myserver/jira.js';return s;})(document.createElement('script')));
Quash answered 27/12, 2012 at 17:37 Comment(4)
why can't you use "https:// myserver/jira.js" ?Kerriekerrigan
Why not append the source of jira.js to the body instead of trying to have the browser download it?Upwards
@Kerriekerrigan Because myserver doesn't server https. It doesn't have a certificate. @Upwards How would I get the source code? The point is to have the source code 'dynamic' so it can change on myserver and automatically change on jiraserver.Quash
I think this answers better to you question: superuser.com/questions/487748/…Principalities
D
19

According to this Chrome Support Q&A you can launch your Chrome with the following command line flag to prevent Chrome from checking for insecure content:

--allow-running-insecure-content

Here is some documentation on how to run Chrome with command flags

Diplopia answered 14/3, 2013 at 19:48 Comment(6)
Woohoo! Grazi. I actually think I've seen that page before... Maybe I thought it was too much of an effort to add that flag. Still think it's stupid it's not a configurable.Quash
For mac user:'/Applications/Google Chrome.app/Contents/MacOS/Google Chrome' --allow-running-insecure-content > /dev/null 2>&1 & from superuser.com/a/524510/290504Truncate
@Quash Was it solved? I can't solve this problem with the flag.Urbanus
@Urbanus I think that did it, but it's been a while and I have an HTTPS server these days, so don't need the flag anymore. Maybe they've removed it... I'm curious now. Do you have a test page?Quash
@Quash You MEAN the test page is my application on my google appengine?Urbanus
@Urbanus I don't MEAN anything. I was asking if there is a testpage I can use to try it out on my machine.Quash
B
3

Chrome simply will not load an insecure script in a secure page.

Does your jira.js have to be loaded from a server? The best way to inject it into the page would be by including it in your extension bundle.

var s = document.createElement('script');
s.src = chrome.extension.getURL("jira.js");
s.onload = function() {
    this.parentNode.removeChild(this);
};
(document.head||document.documentElement).appendChild(s);

If you must load it from a server, I suppose your extension could make a XHR request for the script, then inject the response into the page.

// make a XHR request, then...
var s = document.createElement('script');
s.textContent = codeFromXHR;
(document.head||document.documentElement).appendChild(s);
s.parentNode.removeChild(s);
Beauvoir answered 27/12, 2012 at 17:59 Comment(3)
Will XHR respect caching? Downloading it again and again is... suboptimal. Can't I just tell Chrome to ignore its stupid security rules?? It's my computer! There must be a flag =(Quash
I don't you're supposed to inject stuff into document.documentElement btw... =) Only head and body 'allowed' w3.org/TR/html401/sgml/dtd.html#html.contentQuash
Yes, XHR follows all applicable caching rules the same as the 'regular' browser. You can't simply bypass the security rules -- they wouldn't be providing much security if you could.Beauvoir
B
1

I had the same problem: Our client link a CSS file and js file hosted in our server on a domain which is not secure.

We will solve it by using Amazon CloudFront. They server HTTPS using their certificates which is verified.

That's not a bad solution for use since CDN is often a good idea and these resources are somewhat static. (The CSS file is tailored for each client and is in fact generated but a sane TTL can be configured and the CDN flushed if required)

Note that the CDN solution may even be more affordable than actually buying a certificate depending on your data load.

Beaux answered 8/9, 2014 at 13:40 Comment(0)
U
0

I have faced the same issue and find that if we are logged in to our google account in chrome then Chrome stop loading the insecure content in https.

If we use incognito window in to load the website which has insecure content then it will work.

Uphemia answered 1/3, 2017 at 3:52 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.