Reputation: 824
Blocking mixed content from potentially trustworthy origins (127.0.0.0/8)
Mixed content isn't blocked for potentially trustworthy origins, including IP addresses from 127.0.0.0 to 127.255.255.255. Can browsers be configured to block mixed content for such addresses? This would make local testing easier.
Upvotes: 0
Views: 273
Answers (1)
Reputation: 11397
I have found no browser settings to treat potentially trusted domains as untrusted, BUT here are several options to make 127.0.0.1 and untrusted domains behave the same, or to generate a report of items that would normally generate a warning.
XHR
For XHR, adding an entry to your hosts file is enough (tested in Firefox 73.0.1 & Chrome 80.0.3987).
# /etc/hosts
127.0.0.1 example.com
XHR requests from https://example.com to http://example.com will be blocked by the Mixed Content rules. Note that XHR is still subject CORS and may additionally be blocked by the CORS policy.
This also applies to WebSockets and several other connection types.
<img> and other non-XHR
I have found no way to generate only a warning for images or other connection types (you can see a nearly-exhaustive list with examples at Mixed Content Examples).
There are two options if you wish 127.0.0.1 to behave as if it were a regular domain:
- Block Mixed Content entirely (this may even help future-proof your site) using a Content Security Policy (CSP)
- Get the browser to generate a report of elements which would have generated a warning
Blocking Mixed Content
Add this CSP directive to allow only HTTPS images.
Content-Security-Policy: image-src https:
Use default-src instead of image-src to allow only HTTPS for all other connection types. List of other connection types and their directives.
Generating a report
Add this CSP directive to get the browser to POST a JSON report of resources that would have been blocked.
Content-Security-Policy-Report-Only: default-src https:; report-uri /your-endpoint
Here's some Express code to do that.
let cspCounter = 1;
const CSP_VIOLATION_REPORT_ENDPOINT = '/csp-violation-report-endpoint';
app.use( (req, res, next) => {
res.set('Content-Security-Policy-Report-Only', `default-src https:; report-uri ${CSP_VIOLATION_REPORT_ENDPOINT}`);
next();
});
app.post(CSP_VIOLATION_REPORT_ENDPOINT, (req, res) => {
const reportFile = `/tmp/csp-report-${cspCounter++}.json`;
req.pipe(fs.createWriteStream(reportFile));
req.on('end', () => res.send('ok'));
fs.readFile(reportFile, (err, data) => debug('csp-report')(err || JSON.parse(data.toString())) );
});
A test server is available at https://github.com/codebling/mixed-content-test
Upvotes: 1
Related Questions
- Prevent request to another domain?
- Block cross domain XHR or fetch call at origination/source
- Cross Origin Resource Sharing (CORS) Error - Can this be blocked at the client?
- Mixed-content request from HTTPS page to HTTP (non-HTTPS) localhost address not blocked
- Is it possible to disallow fetching resources from different domains?
- Catching Mixed content error
- Strange Mixed Content Issue
- Client-side solution to missing "Access-Control-Allow-Origin" header
- XMLHttpRequest Same Origin Policy
- Restrict Cross Domain Ajax request