Selim Koc

Security Warning for Publishers using Google Adsense

Web & App Reviews

This time it is the CNN website. I saw an exclamation mark on the secure sign on my Chrome browser. I could not regenerate this issue again while surfing the website. So I need to investigate how it happened. The answer is Google Adsense. Content publishers use third-party ads services, and if they load an image or any static file using an HTTP connection, your site’s secure connection will get broken. This is called the mixed content issue.

Same Issue on Eksi Sozluk

I saw a similar issue on the Eksi Sozluk website, one of Turkey’s top content sites. I figured out the cause of the issue is Google Adsense by examining Eksi Sozluk’s website.

Same Issue on Mynet

Mynet is also one of the oldest online publishers in Turkey, and they have the same problem because of Google Adsense.

Same Issue on Hurriyet Daily News

How to Fix?

If you are a publisher showing ads or content from third parties, you can restrict HTTP connection for the third parties, so your secure connection will not be broken.

Add the following code to your general header section on your website template. Between the <head> … </head> tags.

<meta http-equiv=”Content-Security-Policy” content=”upgrade-insecure-requests” />

So this is telling the browser to try to replace the HTTP connection with an HTTPS connection if possible or fail to load HTTP content.

Alternatively, you can send a special header with your web pages:

Content-Security-Policy: upgrade-insecure-requests

You can read more about it here.

Bonus: Content Management Bug on Eksi Sozluk

While I was surfing the Eksi Sozluk website, I saw a bug but not technical but somewhat related to content management. Eksi Sozluk has a blog site called Eksi Seyler and if they don’t show you Google Adsense ads, they offer posts from Eksi Seyler so they promote Eksi Seyler on their main media. The bug is they are still showing posts related to guessing for the last election. The presidential election already happened months ago. So promoting election guess-related info after the election has no meaning to the users.

Leave a Reply

Your email address will not be published. Required fields are marked *

Web & App Reviews
Software Development