Show a message for loading http when in https environment to allow overriding settings
christabor opened this issue · 0 comments
Use case
For iframe types, I want to be able to load insecure content that I trust, without using CORS or other methods. I know the source but it may not be valid https, while my service (jsondash) is served over https.
E.g. for Chrome, this can be done the following way:
https://superuser.com/questions/487748/how-to-allow-chrome-browser-to-load-insecure-content
Implementation
When loading the iframe, if the dataSource
starts with http://
and the window.location.protocol === 'https:
, then it is considered "insecureOnSecure" or the like. When this is true, display an alert or some indication that content can be loaded (with caveats explained) insecurely by doing X, where X is either:
- A generic message indicating that somehow the user can disable this blocking of iframe content
- OR, a mapping of each browser type and example docs for that browser that indicate how to disable it).
The second option is much more involved and also can potentially become out-of-date as docs change or pages go stale. However, when it works properly, it can be much more useful for the user than expecting them to go out and look for these docs manually.
Other ideas
- This can be enabled on a flask-app level (e.g.
JSONDASH_SHOW_INSECURE = True
) or similar.
Caveats
- The user can be exposed to unsafe environments
- More work involved than just blocking insecure content.