A non-secure Fetch might be allowed by Mixed Content


A non-secure(HTTP) fetch might be allowed on secure(HTTPS) page if the fetch origin is localhost or

Note that, a regular script, style, image, video resource would still be blocked.

I always believed that HTTP requests would be blocked on the HTTPS page, but the algorithm is much more complex.

I stumbled upon this on the Apollo GraphQL setup page which connects with the local GraphQL server over HTTP.

Screenshot 2021-08-19 at 1.56.20 PM.png




... Loading comments