Show a message for loading http when in https environment to allow overriding settings

Question

Show a message for loading http when in https environment to allow overriding settings

christabor opened this issue 7 years ago · 0 comments

Use case

For iframe types, I want to be able to load insecure content that I trust, without using CORS or other methods. I know the source but it may not be valid https, while my service (jsondash) is served over https.

E.g. for Chrome, this can be done the following way:
https://superuser.com/questions/487748/how-to-allow-chrome-browser-to-load-insecure-content

Implementation

When loading the iframe, if the dataSource starts with http:// and the window.location.protocol === 'https:, then it is considered "insecureOnSecure" or the like. When this is true, display an alert or some indication that content can be loaded (with caveats explained) insecurely by doing X, where X is either:

A generic message indicating that somehow the user can disable this blocking of iframe content
OR, a mapping of each browser type and example docs for that browser that indicate how to disable it).

The second option is much more involved and also can potentially become out-of-date as docs change or pages go stale. However, when it works properly, it can be much more useful for the user than expecting them to go out and look for these docs manually.

Other ideas

This can be enabled on a flask-app level (e.g. JSONDASH_SHOW_INSECURE = True) or similar.

Caveats

The user can be exposed to unsafe environments
More work involved than just blocking insecure content.