I write a blog with a lot of security things on it so understandably, it upsets me somewhat when my site throws security warnings:
I'd had a number of people report this and indeed I'd seen it myself, albeit transiently. Diving into the console, I found the source of the problem:
Who the hell is Circulate?! And what are they doing in my blog? Let's find out:
Right... I don't have any ads on my blog these days (just sponsor messages) so there shouldn't be any third-party monetisation going on. However, what I'd noticed about this issue is that it always seemed to occur when loading Disqus comments and certainly they do some ad things, albeit ad things that I'd explicitly disabled on my blog.
I decided to capture the entire page load in Fiddler so I could track down the source of the issue. A quick search in the results for lore.circulate.com located the offending request:
But of course, this is the parent request, that is the resource which is attempting to load the Circulate data. The request you're looking at here though is from pippio.com and when you look at what they do, you're redirected:
Alrighty, sounds very marketing like again. But per the earlier image in Fiddler and as explained by the referrer header, this resource was loaded by Disqus ergo they're to blame. But there's an easy fix for this:
@troyhunt if you can't inject headers you can CSP via meta: <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
— Scott Helme (@Scott_Helme) November 14, 2016
The upgrade-insecure-requests CSP directive here does just what it sounds like it does - upgrades the request to be secure and forces it over the HTTPS scheme. However, here's what happens when you make a secure request to lore.circulate.com:
But I don't really care because the content wasn't loading anyway due to the browser protecting users from loading insecure things. All that's happening now as a result of this is that the content still isn't loading but there's no visible browser warning, just some console output:
The lesson here is that firstly, you get a lot of stuff loaded from other resources every time you embed external services like Disqus. I had no idea about Pippio or Arbor or Circulate, I just knew I was using Disqus. But secondly, the other lesson is that you can use a CSP to fix your things even when the service provider has screwed up.
And that's the final lesson, this time for Disqus: fix your broken implementation!