Mixed content issue of chrome facing on WebSphere portal content

Question

We are working with websphere portal and curently dealing with chrome mixed content issue,

Mixed Content: The site at 'https://tgcs551.commerce.toshiba.com/' was loaded over a secure connection, but the file at 'http://tgcs04.toshibacommerce.com/cs/groups/internet/documents/document/bl82/mtqw/~edisp/tcxtu_win_614014x.zip?_ga=2.95374741.800005762.1609132621-1301842396.1608820702' was redirected through an insecure connection. This file should be served over HTTPS. This download has been blocked. See https://blog.chromium.org/2020/02/protecting-users-from-insecure.html for more details.

we tried below meta data in our static theme also.

but we had not get any success.

Then we tried to right Content-Security-Policy in our httpd.conf file of http server of our websphere portal.

1. Header always set Content-Security-Policy "upgrade-insecure-requests;"

2. Header set Content-Security-Policy "default-src https://tgcs04.toshibacommerce.com; child-src 'none'; object-src 'none'"

3. Header set Content-Security-Policy "default-src 'none'; img-src 'self'; script-src 'self' http://tgcs04.toshibacommerce.com; style-src 'self'"

But not get any success, and finally we realised by checking logs the request of http://tgcs04.toshibacommerce.com is not going to the http server.

we already have SSL certified website also. We can't move to https .

so anyone can help us in this solution.

Answer 1

Mixed Content: The site at 'https://tgcs551.commerce.toshiba.com/' was loaded over a secure connection, but...

Just curious how do you loads https://tgcs551.commerce.toshiba.com via https: with invalid cert:

If you are unable to change http://tgcs04.toshibacommerce.com/cs/... to the https: in the HTML code, the Header always set Content-Security-Policy "upgrade-insecure-requests;" should help. But I do not see any Content-Security-Policy in the responce header:

Of course, CSP header should be publushed on the download page(I do not know it Url). but none of https://tgcs04.toshibacommerce.com/cs/, http://tgcs04.toshibacommerce.com/cs/groups/internet/, etc do not have CSP header.

Also weird thing: http://tgcs04.toshibacommerce.com/ redirects to httpS://tgcs04.toshibacommerce.com/, http://tgcs04.toshibacommerce.com/cs/groups/ redirects to https: too. But http://tgcs04.toshibacommerce.com/cs/groups/internet/... already does not have redirect.
Also all the Urls above redirects to login page, but direct download http://tgcs04.toshibacommerce.com/cs/groups/internet/documents/document/bl82/mtqw/~edisp/tcxtu_win_614014x.zip is possible without auth. Was is intended so?

Fix the SSL certs (may be it's better to generate wildcard cert *.toshibacommerce.com) and make to be published CSP header.