We are thinking to SSL enabled part of our website, but some page contains ads from third party vendor (like Google AdSense). I'd think this will create a annoying problem for our users since they are going to see warning message like "This page contains both secure and non secure items" when they view a page with ads. However, when I browse to Gmail with https instead of http, I don't see that warning in firefox. Does anyone know how Gmail hide this?
+10
A:
Google's documentation indicates this is a known issue and does not offer a workaround: https://www.google.com/adsense/support/bin/answer.py?answer=10528
ahockley
2009-02-25 23:10:09
if google does not support it, how can I see the ads from google when I log into gmail through https?
Herman
2009-02-25 23:16:45
Google embed the advertisements straight on the page, and don't use any mechanism to include them externally.
Rob
2009-02-25 23:57:05
Gmail gets special treatment as another Google product.
ceejayoz
2009-02-26 01:17:25
This seems like the only correct answer that answers the question on this page.
metanaito
2009-02-26 02:33:30
+16
A:
some page contains ads from third party vendor (like Google AdSense)
Then the browser is right — that isn't secure.
With AdSense and most other ad networks you are given a link to JavaScript. When you refer to any external <script>, you are giving complete trust over the contents of your page to the external script provider. You need to trust them to do only what they say they're going to do (show an ad), and not something nefarious like take over the login form from the page it's on and steal values you type into it, or, if the “ad” script were included on your bank account page, automatically empty out all your money.
So external scripts are a trust problem, but if you are using a vendor that provides an HTTPS interface to their ads, then at least it's only one known party you have to trust. If the ad provider only has an HTTP interface, then you're sending out your trust to anyone who can grab control with a man-in-the-middle or similar attack. You are effectively reducing the trust level of your entire page to that of plain unencrypted HTTP, so the browser is quite correct to complain that the page isn't actually any more secure than any old HTTP site.
bobince
2009-02-25 23:19:31
+2
A:
Since this is the answer for Analytic you can use this to not show ads on your secure pages
if ("http:" == document.location.protocol) { /*show your adds here*/ }
I got this idea from how I do analytics on my sites
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
I admit this means you can't show ads on your secure pages, but you probably don't want Google reading your secure pages contents and showing ads anyways. (That is a cop out and making excuses for Google, but as mentioned, they just don't support it)
To answer your GMail question... (using Firebug here, so I could be interpreting this wrong)
- I login to gmail with the always secure connection. No ads.
- I turn on the console to see what connections gmail makes.
- I clear the console
- I click a message that has ads shown to the right.
Gmail only made two calls. First a get to https://mail.google.com that I am guessing is my email. The second was a POST to https://mail.google.com/mail/channel/
I am guessing (everybody else correct me) Gmail requests a post from a proxy that serves the ads.
GMail sends content to proxy, proxy gets ads, proxy sends content back to Gmail. All securly.
TOTAL GUESS THERE
Thanks for the downvote but no explanation about what wasn't helpful
MrChrister
2009-02-25 23:39:22
+1
A:
"Does anyone know how Gmail hide this?"
Short answer: they use https to fetch the ads. Looking through the Net tab in Firebug for GMail's page load I see the ads that are on the page in a request with the URL https://mail.google.com/mail/?ui=2&ik=bbff8a9f5c&view=ad&ak=is00jux7yq7kgk730lqdkxklz03d9d8 so it looks like they do have a way to serve ads over https but only for their own sites.
Sam Hasler
2009-02-25 23:53:24
+3
A:
if you are trying to include non-secure content and have control over what is displayed, you could write a handler that takes a url as a parameter.
As the handler is hosted in SSL it can fetch the html, and stream it out back to the browser through SSL. in effect its acting as a small proxy for you.
I've done this for a number of projects in the past to get to files from within a network without exposing the actual network itself.
using the information here: http://www.csharp-station.com/HowTo/HttpWebFetch.aspx you could easily adapt it to take a parameter (the actual url you want to fetch)...
so in your rendered page you would call https://my.domain.com/pages/HttpWebFetch.aspx?url=http://ads.google.com/ the HttpWebFetch.aspx would then retrieve and relay the page content over https thereby removing the secure/insecure warnings.
Mauro
2009-02-26 13:00:26
interesting... do you have any reference to this approach? Do you have any code samples? Is this done over javascript?
Herman
2009-02-27 03:49:41
@Mauro: Your answer would turn your website into an open proxy. I think you'd have to find a better solution than simply passing the URL as a parameter. However, other than that vulnerability, the idea has merit :-)
scraimer
2010-03-25 09:42:57
@Scraimer, yes it would, theres obviously some security issues to consider, for example, you could store the url in a configuration file, encrypt it, not pass the actual url but a reference/id of the url etc. I used the URL as a parameter for simplicity.
Mauro
2010-03-25 15:24:19
+1
A:
Another approach is to use a protocol relative url. Basically it is a url without the protocol. With this approach the external file can be served under both a secure and nonsecure url without any warnings. Here is a link to a good blog post about this method.
Hope this helps.
damstr8
2010-10-05 14:32:15