Today the MediaVine Ad Network suggests changing the Upgrade-Insecure-Request Content Security Policy to the Block-All-Mixed-Content policy.
Discover the issues you’ll run into with this if you used a free way to convert your site to HTTPS.
UPDATE: MediaVine removed the original page with the new CSP suggestion and replaced it with an update. The link above was also updated.
2 video recaps below for the original announcement and the update
Why is MediaVine Suggesting I Do This?
First, let me say that I have no disrespect for MediaVine whatsoever. In fact, I think they are doing a bangup job to help more folks earn money from running their ads. And, I think they have been WAY ahead of this HTTPS stuff compared to other ad networks.
They’ve been making easy ways for site owners to ensure they don’t get mixed media warnings on their HTTPS sites when a random HTTP ad comes through, like developing their own plugin or giving meta tag code that can be added to the header of a site.
But, with the latest Chrome penalty looming on the horizon of displaying a NON SECURE warning on non HTTPS sites that collect data, the stakes have been raised significantly and extra measures have to be taken.
MediaVine has recently posted help files for adding a Content Security Policy to avoid the unsecured warning when a random HTTP ad gets delivered.
The first policy was mostly okay.
The new one they suggest you change to in their post today is not okay and will cause issues for some site owners, especially those that got a free HTTPS conversion from their host or are using a plugin.
What’s a Content Security Policy (CSP)?
It is a policy filled with directives that tells browsers how to treat different types of elements found on sites.
Policies can be created to trigger on elements like the file type like .jpg or delivery link, like HTTP.
The First CSP Suggestion
The first CSP suggestion from MediaVine was to have the browser upgrade all insecure requests to secure.
Basically, if an HTTP link came through, it would automatically be updated to HTTPS.
This is the same type of duct tape / chicken wire shortcut that many host providers and plugins use to trick browsers into thinking all links are actually HTTPS, even if they aren’t really being delivered from an encrypted source.
The first problem with that CSP is that it, like all CSPs, it is not evenly supported across all browsers, including Chrome.
So, you could still get a NON SECURE warning when an HTTP ad slips through.
The second problem with that CSP is that it could force a link to be HTTPS that could break some element on the site. It’s not all that common, but it happens.
The Update CSP Suggestion
Because tests revealed that the first CSP suggestion was not evenly supported, and sites may randomly get a NON Secure warning in Chrome, MediaVine issued a suggested change of policy.
The new CSP they suggest is to simply block all mixed content.
The first problem with this new CSP is that it will block ALL mixed content, not just from ads.
In a real, full HTTPS conversion we actually fix those things, permanently, not cover them up!!!!
Those site elements can include:
- Your logo
- Google fonts
- any link from the outside world, such as social media and badges
The second problem with this new CSP is that it could conflict with the duct tape / chicken wire way site owners converted for free.
Bad Test, Bad Data
In their help article, MediaVine gives you links to test your site for other security issues prior to installing this new CSP to block every non HTTPS request.
That tester is WhyNoPadlock, which is notoriously inaccurate.
If it’s so bad, why in the world would MediaVine send you to it?
It’s one of the few testers made for non geeks.
Accurate testers, like Chrome Dev Tools and Screaming Frog, are usually too complex for most site owners to use easily, or even understand the info being delivered (and there is a TON of info).
Free Has a Price
Like I said, I’m not trying to disrespect MediaVine in any way.
They are taking the only steps they can to help millions of site owners, who have elected not to pay for qualified help to get their sites converted to HTTPS, to not get popped with the new Chrome warning.
I’m positive they are diligently working to ensure that all ads are HTTPS. But until they are, measures have to be taken to avoid the warnings. It’s just that this particular new CSP step has serious caveats and can cause conflicts.
So, What Do I Do Now?
If you are one of my HTTPS conversion clients, this CSP is okay.
It is safe to install this new CSP, just don’t do it the way they suggest. Let’s put it in with the other 5 security headers you have so that it works faster and better. I’ll send you a link to a video tutorial so you can do it yourself. I’ll also be happy to do it for you.
If you used a free HTTPS conversion method, you have two choices.
- Get a real, full HTTPS conversion and get rid of the problems, and get with someone who keeps you on top of all this stuff as it continues to change. (Just like SEO, nothing about HTTPS is set and forget.)
- Do what MediaVine suggests and take your chances. Just don’t expect your host to help you with it. They will support what they did, but not conflicts with 3rd party vendor plugins or suggestions outside their wheelhouse.
- READ: The Top 10 Reasons NOT to Use Free HTTPS Conversion for more details on what else you’re missing.
See what my HTTPS conversion clients have to say about the process.