I have a secure form (attribute action=”https://…”) in an unsecured (http) page. The purpose is to transmit data securely while avoiding mixed content warnings (“some items are unsecured”) due to unsecured Google Maps element on my page.
When the form posts and succeeds, everything is fine. However, if the form fails, my user ends up on the same page but now the whole thing is secured (and generates mixed content warnings).
How can I accept secure input from a form, and still send back the same unsecured page if the form submission fails?
Having a form rendered in an HTTP page, even if the form is pointing to an HTTPS URL, defeats the purpose of SSL. If your form points to HTTPS, it should only be served via HTTPS. Similarly, if it is served via HTTP, it should only point to HTTP. See this blog for more information.
Additionally, these “mixed content warning” errors are trying to prevent an additional misuse of SSL in that you are accessing resources not under your control and via an unencrypted channel. Once the SSL is broken out of in this manner, it’s possible for an attacker to inject his own Javascript into the response, then the fact that your page was SSL-encrypted is useless.
In short, verify that using SSL is a firm requirement for your application, and remove it if it’s not. Your application configuration today is the security equivalent of serving everything via HTTP. If this is unacceptable, divide your site such that the portion of your site which references Google Maps isn’t the same portion of your site which handles secured transactions.