[Webcom] Webcom Digest, Vol 88, Issue 5

Mark Johnson mjohnson at ncbi.nlm.nih.gov
Fri Jul 29 12:08:04 PDT 2016

I can take a shot at explaining. It's not that anyone necessarily cares 
that someone is looking
at map tiles. But pages served over https aren't allowed to load active 
content over http. The reason is,
a Bad Guy can figure out a way (by infecting your browser, for example) 
of injecting code that
loads stuff from his server. And/or *pushes* stuff to his server. Like 
whatever else is on that
page that is showing the map tiles. If the URL that loads the map tiles 
is https, well, "Too, bad, Bad Guy,
it's encrypted--go spy on someone else." But if it's plain old http... 
Bad Guy wins. Mwa ha ha.

So that's why browsers don't allow active mixed content on https-loaded 
pages, even for innocuous

By the way, US government sites, and other secure sites, are going to be 
implementing something called HSTS
(google it), which tells the browser "from now on, only ever speak https 
to this domain". So even
if the page source says http://osgeo.org/.../foo.js, the browser will 
automatically ask for https://osgeo.org/...
instead. If the certs on your server are bad, though, the browser will 
refuse to load. So for some
sites, https will make osgeo resources broken.

--Mark Johnson

More information about the Webcom mailing list