How does HSTS handle mixed content?

HSTS doesn't try to handle mixed content at all: it just controls whether the browser should perform an internal 307 redirect to HTTPS whenever it tries to load HTTP URLs, or not. The mixed content warning is a feature of the browser, and all the current browsers do it (Mozilla Firefox 23+, Google Chrome 21+, Internet Explorer 10+, Edge from the beginning...). The mixed content warning blocks e.g. <script> and <iframe>, but not <img>.

The mixed content warning on all the browsers mentioned is checked before loading any content at all, i.e. before HSTS redirects, too. This seems only natural, and is also easy to test. By default, all external images are loaded even using plain HTTP, and a mixed content warning is given only for scripts and iframes.

Mixed content without HSTS

HSTS only changes the situation where an image from an HSTS enabled domain is loaded using plain HTTP, and 307 Internal Redirect is performed. Worth noting: this is a situation with no mixed content warnings involved.

Mixed content with HSTS

Therefore, HSTS does not work as a quick fix for the mixed content problem:

  • You need to fix http:// URLs on your site even for the domain itself.
  • You need to ensure that you don't load external scripts from sources you don't trust.
    • If the third party doesn't enable HSTS, it's still vulnerable to man-in-the-middle attacks.
    • Third parties might load content from further external sources, and all this applies to those, too.
    • The external content site might be cracked or do malicious activities by themselves.

I think the answer to this would depend on whether the scripts you refer to are hosted on the domain for which HSTS is enabled.

E.g. if you serve your content from mydomain.com and enable HSTS for this domain (and possibly subdomains too) but the script(s) and other mixed content you refer to are served from otherdomain.com which does not enable HSTS then mixed content is possible and the browser will still warn about this.

What HSTS will stop (and will help fix mixed content for) is resources linked to via HTTP on the same domain - and perhaps subdomain depending on your config - as these will be "upgraded" to HTTPS automatically.

Tags:

Ssl

Ssl Certificate

Hsts

Mixed Content

Related

How install SSL certificate for RDS on windows server 2016? How to set up a persistent TCP gender-changer proxy? Does it makes sense from a security perspective to remove the Server HTTP header? Is it possible to populate an S3 bucket through a CloudFormation template? Why do my SSD read latency benchmarks get markedly worse when I put an XFS filesystem on top? ESXi - Multiple Separate Concurrent Uplinks on vSwitch? How can I chown a file to a subuid without sudo DMARC and DKIM alignment with multiple DKIM signatures Is there a way to automatically add network interfaces to systemd-networkd and/or netplan? Why does postfix say 'Helo command rejected: Host not found' when dig finds the host? Why a pod can't connect to another network? (In the new version of Kubernetes) No space left on device even after adding a Persistence Storage on gcloud

Recent Posts