6

In one of the latest chrome updates , the chrome team added the "load anyway" message that prompts a user to approve loading insecure content on secure pages , somehow optimizely have found a way to "trick" chrome not to ask for that question and simply load the content with the yellow warning key , e.g. : https://www.optimizely.com/edit#url=http://www.yahoo.com/

I can't seem to understand how they did it... does anyone understand ?

Thanks

Amnon
  • 1,171
  • 3
  • 9
  • 19
  • What do you mean? Their certificate is fine. Also, what version of chrome are you referring to? – Esailija Aug 06 '12 at 16:54
  • Optimizely's certificate is good but the problem is that they are fetching insecure content to a secured page , that results in a warning ... if you try and do it on a secured page you will get a "load anyway" message in crhome – Amnon Aug 06 '12 at 17:07
  • 1
    I only get that when there is something wrong with certificate. Mixed content has always loaded with me without any prompt :/ Chrome 21 Can you show a page that gives the prompt? – Esailija Aug 06 '12 at 17:09

2 Answers2

4

It looks like they do it after page load. The initial page served only includes an innocuous <iframe></iframe> - no insecure content loaded yet. Javascript does the actual loading of the iframe.

I did some testing and I can't get any message to appear on Chromium 18 (Linux). However, on my test page, the security icon starts green on page load, then turns yellow when the insecure content is loaded to the iframe. The exact same happens on Optimizely. So my best guess is that this method will avoid the "Load Anyway" message while letting you load insecure content.

Don't count on that though - if this is a new Chrome feature, it's likely they'll figure out this trick as well and fix it later. ;)

Ryan P
  • 14,118
  • 27
  • 48
2

They don't seem to get around it on Chrome: They ask the user to enable it as per this screenshot: enter image description here

David d C e Freitas
  • 7,146
  • 4
  • 54
  • 66