Jared Kipe

Q: Safari Blocks Insecure Content in Safari9

The new default, and possibly mandatory, behavior is to block insecure content loaded on an encrypted site.

 

Is there a way to allow this, preferably on a site-by-site basis?

 

For the curious, it is a common practice to proxy 'hardware' over http running on localhost, or some other local IP address, to allow things like receipt printers, or scales to work.

Posted on Oct 8, 2015 12:07 PM

Close

Q: Safari Blocks Insecure Content in Safari9

  • All replies
  • Helpful answers

  • by Jared Kipe,

    Jared Kipe Jared Kipe Oct 9, 2015 1:13 PM in response to Jared Kipe
    Level 1 (0 points)
    Oct 9, 2015 1:13 PM in response to Jared Kipe

    I should point out that unprivileged users are allowed to install this without a password through the App Store.

    This means that a computer that is working one day, can 'magically' develop this issue even when nobody using the computer has access to an administrator account.  Bad move Apple.

  • by Jared Kipe,

    Jared Kipe Jared Kipe Oct 13, 2015 3:08 PM in response to Eric Root
    Level 1 (0 points)
    Oct 13, 2015 3:08 PM in response to Eric Root

    None of that applies.  Nobody seems to understand why this is so bad from an IT perspective.

     

    Imagine having 100 computers with 100 users all having only standard accounts, all working with custom local services and Safari extensions.  Then Apple comes along and basically lets those 100 standard users 'upgrade' to a new version of Safari.

     

    Sounds great!?

    Wrong.  Because there is now a security feature that nobody can turn off, and it ruins all of your 'local' services.  Now you have to spend valuable time installing Firefox and teaching users how to 'disable' that feature in Firefox (at least you can!).  And now your Safari extensions are useless.  Now imagine that they are remote and you have to do all of this through VNC...

     

    I'm not opposed to this 'security' feature, assuming I got to deploy it myself and not have unprivileged users doing it for themselves. (especially if you could disable it per site or IP address, then it would be ideal)

     

    I'm also not the only person to run into this. https://stackoverflow.com/questions/32883306/safari-9-disallowed-running-of-inse cure-content

    I raised a concern on radar, Apple doesn't care.  (or at least won't admit it)

  • by Eric Root,

    Eric Root Eric Root Oct 14, 2015 7:22 AM in response to Jared Kipe
    Level 9 (73,783 points)
    iTunes
    Oct 14, 2015 7:22 AM in response to Jared Kipe

    Apple doesn’t routinely monitor the discussions. These are mostly user to user discussions.

     

    Send Apple feedback. They won't answer, but at least will know there is a problem. If enough people send feedback, it may get the problem solved sooner.

     

    Feedback

     

    Or you can use your Apple ID to register with this site and go the Apple BugReporter. Supposedly you will get an answer if you submit feedback.

     

    Feedback via Apple Developer

  • by Jared Kipe,

    Jared Kipe Jared Kipe Oct 14, 2015 10:21 AM in response to Eric Root
    Level 1 (0 points)
    Oct 14, 2015 10:21 AM in response to Eric Root

    I have sent feedback.  Initially I was hoping someone had an arcane workaround.

  • by S. Kirby,

    S. Kirby S. Kirby Nov 3, 2015 1:50 PM in response to Jared Kipe
    Level 1 (0 points)
    Nov 3, 2015 1:50 PM in response to Jared Kipe

    I've been searching for an arcane workaround for four weeks, ever since we first realized what Safari 9 was doing.

     

    I represent tech support for an online school. The website our students log into is secure, but some curricular material is served in a frame from a content vendor, over http. We have no control over the way the vendor serves their content. This mixture of secure and insecure content has been a problem for several years, ever since browsers started blocking mixed content automatically and quietly, without a pop-up prompt.
    Fortunately, we are able to instruct students on exactly what to click on in their browsers to allow the insecure content to load.


    Prior to version 9, Safari didn't block mixed content at all.

    Now, suddenly it mercilessly blocks mixed content, and there seems to be no way to modify that behavior. This initially resulted in a lot of confusion, and then frustration and anger, as we now have to instruct our users that they simply can't use Safari anymore.

     

    Tell an average Mac user that they can't use Safari and their head explodes.

     

     

     

    I've been desperately searching for any solution for modifying this behavior in Safari 9, and I'm frankly dismayed that Apple has not even mentioned the change in behavior, much less publicly addressed any of the concerns with it.

     

    Before anyone suggest the self-righteous but unhelpful platitude "well you should just make sure you're serving all content over https", I'll reiterate that - like Jared - some of us do not have complete control over what's being served and from where.
    Yes, the Internet would be better if everything was secure; duh. As long as it isn't, then our tools need to be adaptable.

     

    I'm also surprised that there hasn't been more discussion about this issue in general.

    I found the threads on Stack Overflow too; but beyond that, and a couple threads here, the Internet-at-large is surprisingly quiet about this.

  • by Walter Hartwell White,

    Walter Hartwell White Walter Hartwell White Nov 4, 2015 3:12 PM in response to S. Kirby
    Level 1 (0 points)
    Nov 4, 2015 3:12 PM in response to S. Kirby

    We've just discovered this problem as well.  Our catalog system displays a mixture of secure and insecure content such as reviews, author notes, book profiles, etc.   I can't find a work around (on the client side) that will allow these types of pages to load. 

  • by S. Kirby,

    S. Kirby S. Kirby Nov 5, 2015 10:52 AM in response to Walter Hartwell White
    Level 1 (0 points)
    Nov 5, 2015 10:52 AM in response to Walter Hartwell White

    Every user who finds this thread should go submit feedback to Apple regarding this issue.

     

    Use this link: http://www.apple.com/feedback/safari.html

     

    Unfortunately, the feedback box seems to limit you to 800 characters, which is insufficient to present a reasoned and supported argument, but is enough to at least make a basic complaint.

     

    Once they receive enough complaints, hopefully they'll re-evaluate the matter and do something about it.

  • by Jared Kipe,

    Jared Kipe Jared Kipe Nov 5, 2015 11:00 AM in response to S. Kirby
    Level 1 (0 points)
    Nov 5, 2015 11:00 AM in response to S. Kirby

    Yes, thank you.  Also https://bugreport.apple.com/ 

     

    Also, a little more frustration.  If the 'insecure content' you try to access is through an XMLHtppRequest (AJAX), Safari blocks the the request itself, which means that both the success and error callbacks don't fire.  Now sure, you could set a timeout yourself and check from some kind of response object or success/error condition, but by default the 'normal' way to check for these sorts of things is silently discarded by the browser.

  • by Jared Kipe,

    Jared Kipe Jared Kipe Apr 6, 2016 10:35 AM in response to S. Kirby
    Level 1 (0 points)
    Apr 6, 2016 10:35 AM in response to S. Kirby

    My ticket at bugreport.apple.com was OFFICIALLY closed today, 5 months after opening, with the reply of "Software updates can be applied without a password. This is per design."

     

    Thanks for nothing Apple.