Mixed content no more

Written on 2015-08-07

TBRSS is SSL-only, but many feeds are HTTP-only, and many of those feeds have images. In modern browsers, insecure assets – including images – generate mixed-content warnings, at varying levels of severity.

In the context of a feed reader, such warnings are useless. But as browsers are moving towards more secure defaults, it seems wise to fix it before it becomes a problem.

The basic technique is nothing new. You can read about the details in a Github blog post from 2010 – in short, insecure URLs are fetched through a secure proxy.

This is what TBRSS does, with one bandwidth-saving complication: we parse the rules from the HTTPS Everywhere extension and, when possible, directly re-write insecure URLs to their secure equivalents – in which case no proxy is needed.


Unless otherwise credited all material copyright by Paul M. Rodriguez