Mixed content warning due to SSL

When accessing NewsBlur through the secure https version, modern browsers like Chrome and Firefox throw a mixed content warning, which actually means that insecure content is embedded in the secure website. Browsers also don’t load insecure content then without confirmation.

Chrome help says: “The site uses SSL, but Google Chrome has detected insecure content on the page.”

This is a completely valid concern since the insecure content could hijack the otherwise secure connection. E.g. SVG image files could contain JavaScript.

Blocked loading of insecure files is documented in the browsers console. It includes feed icons and especially all stylesheets for the “original” view. This is even a problem when the original website uses SSL, too, because NewsBlur still only uses the http protocol.

I know this might not the easiest problem, but should be fixed. Otherwise the SSL mode is partly broken and doesn’t make that much sense. If fixed you should think about moving https-only, like Google does. The overhead is minimal (≤ 1%), but you’ll get security and user trust.


Harder than it sounds. Content is coming from all over and much of it is not https. I’ve tried to make all of NewsBlur load https-only, but third party images are the big problem.

I see.

If you embed the http://www.newsblur.com/reader/page/1234 iframe without https, it loads but can’t communicate with your root site anymore. Have you tried using cross-document messaging? It seems widely supported these days.

The strange thing about this is it carries over to other pages I visit in the same tab (on Chrome.) If I have newsblur open and use a bookmark to jump to a site with https, the mixed security warning shows on the destination page (until I reload it.)

I’m also greeted with the same situation whenever I use any of the integrated sharing features. These pages show the mixed content warning even though they’re opening in a new tab. I have to refresh the page to get a green padlock. If I turn off https in newsblur, the sharing features don’t exhibit the mixed security warning.

I don’t get why it would carry over to a completely different page. Not a big deal. I’ve gotten used to refreshing. But if that part is easily remedied, it would remove a minor hassle.

Icons are still being loaded from http://icons.newsblur.com/ rather than a TLS-secured server. Is there a fix planned?

1 Like

They’re actually available over HTTPS already, from https://s3.amazonaws.com/icons.newsbl… - perhaps it would be possible to use that URL when HTTPS is enabled?

1 Like

They’re available, yes, but the NewsBlur source contains references to HTTP URIs instead, which is triggering Firefox’ mixed content protection. HTTPS-Everywhere doesn’t trigger early enough to be a fix, either.

Until the URIs are HTTPS instead, it’s not fixed.

I know :slight_smile: That comment was directed at Samuel, sorry for not making that clear.

Right. Thanks.

I would also like to request icons.newsblur.com to be served over HTTPS. With the use of requestpolicy and noscript, this should get rid of the mixed content warning.

Good news, I went through all user profiles and scrubbed out the non-https. So now everything should load with https with no mixed content warnings. However, the second you load a site and it pulls from http, all bets are off.

The real answer is to rewrite feeds to move images behind a https proxy server. I hear that’s not terribly expensive, but it’s a whole kettle of work to do.


I am seeing non-HTTPS requests to http://newsblur.com/media/img/icons/c…

It seems the request for an icon where a feed has no favicon redirects to a non-HTTPS icon.



GET /rss_feeds/icon/99177 HTTP/1.1
Host: newsblur.com


HTTP/1.1 302 Moved Temporarily
Server: nginx/1.4.1
Date: Sun, 10 Aug 2014 19:43:45 GMT
Content-Type: text/html
Transfer-Encoding: chunked
X-Powered-By: Express
Location: http://newsblur.com/media/img/icons/c…

Yeah, I noticed this too. I’m working on a fix. Turns out this didn’t happen on my staging server so I shipped it. I gotta figure out why the icon proxy is switching to http.


Samuel, thanks for taking care of this.

Do you mean that we should do it, or that you’re considering your own implementation?

Great, thanks! :slight_smile:

I’m already a paying user but proxying feeds and images so that I don’t get tracked by the original websites is definitively something I would pay for.