It is so sad, when a webpage falls apart in the browser, like this one in Chrome:
Why is that? Oh, isn’t it obvious? The explanation is there, let me help you:
It is called the mixed content warning, and although it is a warning, it is very easy to miss. Let’s see the same page in Firefox:
Do you get it? Here it is:
Internet Explorer is not so gentle, it immediately calls the user’s attention:
Although you don’t have to search for a shield icon (which is one of the most overused symbol in the IT history) here, because you immediately receive a textual message, the situation is not really better. Average users don’t understand this message and the real cause behind it. What’s more, not only users don’t get it, but also web developers don’t understand the security consequences, otherwise there won’t be any page with this warning at all.
It is so easy to get rid of the mixed content warning: just ensure that if you load the page via https:// protocol, then you must load all referenced content (yes, all of them) via https as well. If you have a single http:// URL in your page, then the browser will trigger the mixed content warning. If you load content from a third party domain and you cannot use relative URLs, then start your reference URLs with “//”, which tells the browser to use the same protocol which was used to load the page itself. It is called the “protocol relative”, “scheme relative” or “scheme-less relative” URL, and you can find its description already in the RFC 3986 (dated January 2005) which specifies the URI syntax. Thankfully all browsers understand it as well.
It is time to fix these pages, and let the browsers sooner or later completely block these poorly implemented pages.