2
Can I create exemptions in the major Windows browsers (IE, Firefox, Chrome, Safari) for the insecure content warnings you get when mixing https and http on the same page?
WE have a site that needs to run https... it allows students here to pay their bills online, sign up for classes, view their grades, housing, finincial aid etc, and allows faculty to view appropriate student information (FERPA protected). Site content should istelf pretty much never be seen over vanilla unencrypted http.
One of the features of this site is that it's also a portal. Students can chat, post to message boards (for sale, rides home, etc), and — through iframes — setup "gadgets". There are a few default gadgets embedded, such as a print use counter, facebook (to encourage use of the portal), library card catalog lookup, and others, and students can set up their won — and some of these do not support https at all. We do know that students are actually using this site regularly, and it loads as the home page in our computer labs.
Unfortunately, this leads to nasty warnings about mixing secure and insecure content. I know what these warnings are, why they have them, and why they are important (XSS vulnerabilities could potentially let rogue javascript in a gadget upload student info to a remote server). That said, I also control the deployment of these sites, so for my own managed computers I can know that this content is okay.
This brings me to the my question. For our college-owned computers, at least, I would like to disable the warnings in IE, Firefox, Safari, and Chrome, for just that specific insecure content and in just those specific pages where we've included it. I definitely don't want to disable these blocks and warnings generally. I'm only talking about the specific content in question, some of which is based on vendor software that I can't just set to use https. Is this possible?
> some of which is based on vendor software that I can't just set to use https => sure you can, just stick a reverse proxy (via nginx, haproxy, apache httpd, etc.) in front of it as a TLS termination proxy. As long as you can select the URL to use for these 'gadgets', you can point them at the proxy (and point the proxy at the HTTP server). – Bob – 2016-12-23T02:27:08.027