How to use insecure web script on SSL pages

Question

I have used SSL to secure my pages, but one of my scripts has stopped working.

I was using on page to show visit count on this website.

It was working fine earlier without SSL but now shows the error message:

blocked insecure content.

Answer 1

This feature was enabled by default in Firefox 23 recently. That's probably the reason it stopped working now (Chrome has been doing this longer), but it's always been bad practice because of several security implications: if the page itself is protected from being tampered, it gives the end user a false sense of security if he sees the connection is encrypted with HTTPS. After all, the insecurely served script could still be tampered with through a MitM attack, and for example introduce password sniffing callbacks, or redirect form postback targets.

Answer 2

its a deliberate security feature to prevent a page looking secure which then uses resources from less secure sites.

See if you can host the script under your ssl domain, or you could proxy the response if its an api for example.

Be aware though that you are circumventing a security feature and you should be confident that you trust the resource.

Answer 3

When using secure connection, all content should be loaded using secure connections. That includes images, scripts, iframes, stylesheets, swf and other media from both your server as well third-party ones.

Some browsers allows changes in configuration so they can fetch and display this content, but you can't force your users to change their configurations (especially for less secure one).

If this service does not provide it's api through SSL, you may have to change it for another one or resign from this counter on secured pages.