Mixed Content in SSL
To most website owners, SSL is a part of keeping your website secure. Many website owners have already adopted this, out of the desire for security, or out of pure necessity. As SSL becomes more mainstream, many website owners are running into difficulties and issues regarding SSL and what is called mixed content. I’m going to talk about a situation that one of my clients and I ran into this week regarding mixed content in SSL.
What is mixed content in SSL?
When you add SSL to your website, it changes your protocol from http to https. This change may seem subtle to most, but it can have a huge impact on how your website runs. Mixed content comes from when you try to display or run the old http content inside of your https website. Since SSL is a fairly new thing to mainstream websites, I’ve never really ran into the following issue prior to this week. However, most browsers will block this content by default. This is for security reasons and is recommended. You can’t embed http content in an https website. You can't embed http content in an https website Click To Tweet
I have a client who teaches critical thinking to individuals and companies all over the world. He has websites in many different languages, from English to Russian, Korean and Polish. All of these websites work fine. That is, until this week. His organization has certifications in critical thinking and problem solving skills. Once you pass a test, you can become certified. The Russian website displays a database that is embedded via iframe in the browser. The Russian website is the standard http format. The English website was converted to SSL, because that is where payments are accepted for conferences and training all over the world. It was important for the website to be secure.
I received a phone call Tuesday that the database that is embedded in the Russian version of the website via iframe was no longer displaying in the English version. My first thought was that it was an HTML, or a standard coding issue. I thought that maybe the code had broken somewhere. I went into the backend of the website, which is a WordPress website, and was astonished to find that there were no scripting errors.
I hate to admit it, but I was a little baffled at first. I did a little reading online and found that sometimes, depending on the theme you are using, it can break the iframe code. I found a plug-in that replaces the script with a short code as a workaround. Needless to say, that did not work. That wasn’t the issue, and I was officially stumped.
It takes a lot more than that for me to throw in the towel. As I dug a little deeper I found an article about SSL and mixed content. This was all due to the fact that the iframe was not showing. For I can find, there is no workaround. If you try to embed http content into an https website, it will be blocked by the browser. It won’t even show. You know it was they are, unless you inspected it with a tool like Firebug Chrome’s inspect tool. When I inspected it, all I saw were the opening and closing iframe tags. The content contained within it did not show up at all.
This is something you’ll definitely want to consider before upgrading your website to SSL for greater security. I have a feeling that this is going to happen more often, since more and more people are adopting SSL. Browsers are starting to display websites as not having a secure connection, as an effort to push websites to adopt SSL to become more secure.
What do you think of SSL? Have you had a bad or a strange experience with using SSL in your websites are your client’s websites? I’d love to hear more about your experiences. Please leave your thoughts and experiences in the comments section below.