Mastodon

Disqus' mixed content problem and fixing it with a CSP

I write a blog with a lot of security things on it so understandably, it upsets me somewhat when my site throws security warnings:

Mixed content warning in Chrome

I'd had a number of people report this and indeed I'd seen it myself, albeit transiently. Diving into the console, I found the source of the problem:

Insecure request to lore.circulate.com

Who the hell is Circulate?! And what are they doing in my blog? Let's find out:

Circulate "Monetizes First-Party Data"

Right... I don't have any ads on my blog these days (just sponsor messages) so there shouldn't be any third-party monetisation going on. However, what I'd noticed about this issue is that it always seemed to occur when loading Disqus comments and certainly they do some ad things, albeit ad things that I'd explicitly disabled on my blog.

I decided to capture the entire page load in Fiddler so I could track down the source of the issue. A quick search in the results for lore.circulate.com located the offending request:

Disqus requesting Pippio requesting Circulate

But of course, this is the parent request, that is the resource which is attempting to load the Circulate data. The request you're looking at here though is from pippio.com and when you look at what they do, you're redirected:

Pippio

Alrighty, sounds very marketing like again. But per the earlier image in Fiddler and as explained by the referrer header, this resource was loaded by Disqus ergo they're to blame. But there's an easy fix for this:

The upgrade-insecure-requests CSP directive here does just what it sounds like it does - upgrades the request to be secure and forces it over the HTTPS scheme. However, here's what happens when you make a secure request to lore.circulate.com:

Circulate cant serve HTTPS content

But I don't really care because the content wasn't loading anyway due to the browser protecting users from loading insecure things. All that's happening now as a result of this is that the content still isn't loading but there's no visible browser warning, just some console output:

Circulate connection refused

The lesson here is that firstly, you get a lot of stuff loaded from other resources every time you embed external services like Disqus. I had no idea about Pippio or Arbor or Circulate, I just knew I was using Disqus. But secondly, the other lesson is that you can use a CSP to fix your things even when the service provider has screwed up.

And that's the final lesson, this time for Disqus: fix your broken implementation!

Security Disqus CSP
Tweet Post Update Email RSS

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals