🏠 back to Observable

were calls to http pages recently enabled? and will this continue?

Some time ago, I opened a question to the forum about icons not loading, and the reason for this had to do with the content being called through HTTP as opposed to HTTPS.

Today I was mucking around learning about tachyon hovers , which uses this example:

<a href="#" class="link black dim db mw5 pa2 br2 ba b--black-10 shadow-1">
  <img src="http://mrmrs.github.io/photos/037.jpg" alt="SF at night" class="db mb2 mw-100" />
  <span class="db f6 pv2">Card title</span>
</a>

Much to my surprise, the image loaded immediately via HTTP!

Is this a recent change? And will HTTP images continue to be supported?

Nothing has changed here. I suggest you refer to the Mixed Content specification on how browsers handle HTTP requests from HTTPS origins:

https://w3c.github.io/webappsec-mixed-content/#categories

If you want to show an image that’s hosted on an HTTP-only website and avoid mixed content, you could download and attach that image to your notebook as a file.

1 Like

Thanks for the reference! Lots in there to get my head around.

I was surprised to see the image loading at all, as I was under the impression that anything with an HTTP prefix would be blocked. I had no idea the browser specifications were so nuanced.