Is there an HTTP Response header that disallows any non-SSL content from being d

Question

Is there an HTTP Response header that disallows any non-SSL content from being displayed on the current page?

The idea is some times external content that needs to be on the website (cough, ad engines, cough) may be slacking off with the SSL and in such a case I'd rather skip on this external content, than provide an opportunity for active MitM with all its consequences.

I know HSTS covers similar ground, but AFAIK it works on a host basis; that is sending HSTS means you indicate you want only HTTPS connections to your host, not that you won't be including non-HTTPS content from the HTML of your pages.

Explanation / Answer

Theoretically, modern browsers block active mixed content and warn about passive mixed content. In that sense, the kind of blocking that you seek is already done on the client-side, to some extent.

You may want to serve the external content yourself by rewriting URL (that software might possibly help): the external content now becomes internal content that you provide on your own SSL. However, on a general basis, if the external content is not trustworthy (if only by being sloppily managed on the external server side), then the only sane practice is to evict it altogether -- which is what you are trying to do, indeed. Ideally you would serve "good" ads and not "bad" ads on technical per-ad grounds, but in practice you more have the choice between ad-network providers, or not having ads at all.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.