Disqus’ mixed content problem and fixing it with a CSP

Sponsored by: Sucuri: Incident Response, Monitoring, DDoS mitigation and WAF for websites

I write a blog with a lot of security things on it so understandably, it upsets me somewhat when my site throws security warnings:

Disqus' mixed content problem and fixing it with a CSP

I’d had a number of people report this and indeed I’d seen it myself, albeit transiently. Diving into the console, I found the source of the problem:

Disqus' mixed content problem and fixing it with a CSP

Who the hell is Circulate?! And what are they doing in my blog? Let’s find out:

Disqus' mixed content problem and fixing it with a CSP

Right… I don’t have any ads on my blog these days (just sponsor messages) so there shouldn’t be any third-party monetisation going on. However, what I’d noticed about this issue is that it always seemed to occur when loading Disqus comments and certainly they do some ad things, albeit ad things that I’d explicitly disabled on my blog.

I decided to capture the entire page load in Fiddler so I could track down the source of the issue. A quick search in the results for lore.circulate.com located the offending request:

Disqus' mixed content problem and fixing it with a CSP

But of course, this is the parent request, that is the resource which is attempting to load the Circulate data. The request you’re looking at here though is from pippio.com and when you look at what they do, you’re redirected:

Disqus' mixed content problem and fixing it with a CSP

Alrighty, sounds very marketing like again. But per the earlier image in Fiddler and as explained by the referrer header, this resource was loaded by Disqus ergo they’re to blame. But there’s an easy fix for this:

The upgrade-insecure-requests CSP directive here does just what it sounds like it does – upgrades the request to be secure and forces it over the HTTPS scheme. However, here’s what happens when you make a secure request to lore.circulate.com:

Disqus' mixed content problem and fixing it with a CSP

But I don’t really care because the content wasn’t loading anyway due to the browser protecting users from loading insecure things. All that’s happening now as a result of this is that the content still isn’t loading but there’s no visible browser warning, just some console output:

Disqus' mixed content problem and fixing it with a CSP

The lesson here is that firstly, you get a lot of stuff loaded from other resources every time you embed external services like Disqus. I had no idea about Pippio or Arbor or Circulate, I just knew I was using Disqus. But secondly, the other lesson is that you can use a CSP to fix your things even when the service provider has screwed up.

And that’s the final lesson, this time for Disqus: fix your broken implementation!

Leave a Reply