Skip to main content

This is a new website theme. Help me improve it and give your feedback (opens in a new tab).

Netlify Mixed Content Warnings

Published:

Tags:

Netlify Web Onion-Services
This blog post is more than two years old. It is preserved here in the hope that it is useful to someone, but please be aware that links may be broken and that opinions expressed here may not reflect my current views. If this is a technical article, it may no longer reflect current best practice.

Looking at my blog today, I noticed that Netlify now warns you if you link to non-HTTPS URLs in your site:

2:37:56 PM: Starting post processing
2:37:56 PM: Mixed content detected in: /blog/index.html
2:37:56 PM: --> insecure link urls:
2:37:56 PM:   - http://w6d6vblb6vhuqxt6.onion/blog/
2:37:56 PM:   - http://tvin5bvfwew3ldttg5t6ynlif4t53y3mbmb7sgbyud7h5q6gblrpsnyd.onion/blog/
2:37:56 PM:   - http://creativecommons.org/licenses/by-nd/4.0/

This is really handy in catching those URLs you’ve forgotten to make into HTTPS URLs, but Tor Project exempts .onion hostnames from mixed content warnings (see Tor ticket #23439) and this is even applied upstream by Mozilla in Firefox (see Mozilla ticket #1382359).

I’ve fixed the link for the Creative Commons license in my template, but those .onion links are correct and I generate them for every page in my website. I hope Netlify will update this new feature to treat .onion hostnames as secure regardless of the use of HTTPS as Tor Project and Mozilla do. There’s just too much output for me to go through and ignore for this to reach it’s full potential for me.