debian-mirror-gitlab/doc/user/application_security/dast/checks/319.1.md

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

38 lines
1.5 KiB
Markdown
Raw Normal View History

2022-07-23 23:45:48 +05:30
---
stage: Secure
group: Dynamic Analysis
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
---
# Mixed Content
## Description
The target application was found to request resources over insecure transport protocols (HTTP). This is usually due to HTML
elements which load resources using the `http://` scheme instead of `https://`. It should be noted that most modern browsers
block these requests automatically so there is limited risk.
Some parts of the application may not behave correctly since these files are not being properly loaded.
## Remediation
Ensure all HTML elements which load resources from a URL (JavaScript, stylesheets, images, video and other media) are set to
use the `https://` scheme instead of `http://`. Alternatively, developers may use the `//` scheme, which will only load resources
over the same protocol that the originating page was loaded.
A browser visiting the website `https://example.com` with the HTML loading a file using
`<script src="//example.com/cdn/bundle.js"></script>`, would ensure the `example.com/cdn/bundle.js` file was loaded over
HTTPS.
## Details
| ID | Aggregated | CWE | Type | Risk |
|:---|:--------|:--------|:--------|:--------|
| 319.1 | true | 319 | Passive | Info |
## Links
- [OWASP](https://owasp.org/www-community/vulnerabilities/Insecure_Transport)
- [CWE](https://cwe.mitre.org/data/definitions/319.html)
- [MDN](https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content)