Description
This rule determines if the location for specified resources (image, audio, video, object, script, link, iframe) uses insecure protocol http on https site connection. This is called mixed content.
Purpose
A user’s connection with the web server is encrypted with TLS when they access a website that is provided over HTTPS, protecting them from the majority of sniffers and man-in-the-middle attacks. A mixed content page is an HTTPS page that includes content that was fetched over cleartext HTTP. As a result, sniffers and man-in-the-middle attackers can obtain unencrypted content on pages like this one that is only partially encrypted. The pages are now risky as a result.
An example of how this is being reported in the Developer console:
How to fix it
- Ensure the site serve all resources through https connection.
- Check all links to external sites and make sure they have specified
https://protocol.
Standard
Privacy, Best Practice