HTTP vs HTTPS / Mixed content on www.newsblur.com

  • 1
  • Question
  • Updated 6 years ago
(note: this only applies to https://www.newsblur.com, not http://www.newsblur.com)

It looks like https://www.newsblur.com is serving both HTTPS and HTTP content.
AFAIK, this practice is not ideal, but it's common on the web (it's called "Mixed Content" - not sure if this is "Mixed Passive Content" or "Mixed Active Content").

Serving HTTPS content only would be preferrable for privacy and security.

Is this correct? If it is, do you plan to serve HTTPS content only in the future?
Photo of pxlmsc

pxlmsc

  • 45 Posts
  • 1 Reply Like
  • not encrypted enough

Posted 6 years ago

  • 1
Photo of Ahmet A. Sabanc─▒

Ahmet A. Sabanc─▒

  • 11 Posts
  • 1 Reply Like
You're right about mixed content's potential vulnerabilities.

AFAIK, Newsblur itself serves full HTTPS but the feeds most of the feeds and websites are HTTP and that causes mixed content problem.

I'm not really sure about that (I don't know the full technical details) but if a website feed doesn't have support for HTTPS, I don't think Samuel can do much about that.
Photo of Hampus

Hampus

  • 212 Posts
  • 31 Reply Likes
This is indeed the case. Not long ago some parts of Newsblur itself was still HTTP even when you were using HTTPS but I think that has been taken care of now.

The problem are the feeds, even if you're subscribed to HTTPS versions of all your feeds it's not uncommon for there to be things like images or youtube videos embedded that use a HTTP URL. Newsblur can't just rewrite all the URLs either as they will in some cases be to to a CDN (or just a regular site) that simply doesn't support HTTPS.
Photo of Ryan Williams

Ryan Williams

  • 1 Post
  • 0 Reply Likes
I had this problem as well, but only with the full site view. If you use one of the views that does not load an entire page from the external site, all the content will come from https://www.newsblur.com and therefor be secure.
Photo of polpo

polpo

  • 13 Posts
  • 0 Reply Likes
Several email providers that serve over HTTPS actually rewrite and proxy all cross-site requests in order to prevent mixed content warnings.