UNPKG

@passmarked/links

Version:

Rules related to the links/assets on the page

github.com/passmarked/links

passmarked/links

43 lines (34 loc) 1.32 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
Serving unsecured javascript or css allows an attacker to modify seemingly secure page content, effectively bypassing any encryption. Unsecured javascript (and css) can be modified (on the fly) by an attacker — especialy on unsecured public networks. ```html <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>Seemingly Secured Page</title> </head> <body> <p>Page content</p> <!-- BAD, uses unsecure http even if https is available --> <script src="http://externaldomain.com/externalResource.js"></script> </body> </html> ``` # How do I fix this ? Use protocol relative urls for internal and external resources, **but make sure the external resources are available on `https`**. ```html <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>Secured Page</title> </head> <body> <p>Page content</p> <!-- GOOD, fetches with https if the current page was fetched securely --> <script src="//externaldomain.com/externalResource.js"></script> </body> </html> ``` # Resources * [MDN - Mixed Content](https://developer.mozilla.org/en/docs/Security/MixedContent * [Google Developers - What is mixed content?](https://developers.google.com/web/fundamentals/security/prevent-mixed-content/what-is-mixed-content?hl=en)