What Is Involved with an HTTPS Migration?
There are 2 steps to migrating our web platforms to HTTPS.
- All our web platforms must have a secure SSL certificate. This will allow all the webpages to load over HTTPS
- We have to identify and update all the mixed content on our webpages.
What is Mixed Content?
Mixed content occurs when a webpage is loaded over HTTPS, but the page contains some content that is loaded over HTTP. Most webpages, except for the most basic ones, contain resources that aren't actually part of the HTML file. Examples of external webpage resources are images, scripts, or iframes. Because webpages that are loaded over HTTPS are considered to be more secure than pages loaded over HTTP, most browsers will actually block the loading of HTTP resources into a page that was loaded over HTTPS. In other words, the browsers will not display certain types of mixed content that are considered to be the most potentially risky.
Note that images referenced via an HTTP URL, like <img src="http://library.somewhere.edu/images/logo.jpg" alt="Library Logo">
are a useful example of mixed content, because it's easy to understand that they are separate files from the basic HTML of a webpage, but most browsers will not block the loading of HTTP images on HTTPS pages at this time.
Which Types of Mixed Content are Blocked?
Here are the types of webpage resources that we think you are most likely to use in your guides, and which will be blocked by most browsers, if you try to load them as HTTP resources.
- external scripts
- external stylesheets
- iframes
- Flash objects
- embedded content (such as widgets, videos, etc.)
Mozilla has detailed information about mixed content
This overview was adapted from Google's What is Mixed Content page.