I'm currently designing a social network on my local host, that also has a forum aspect involved. There are three things that a user can do on the site that is causing me some concern.
Because of #1 I made the entire site https. So no matter where a user was on the site, they could log in and their entire session would be encrypted. This functionality is working great but I am afraid of Mixed Content Warnings.
Right now I'm thinking twice about making the full site secure b/c if I keep it this way will mixed content warnings appear for every page that has a link to an external site, or an image from an external site? Unfortunately I have never seen this warning b/c none of the browsers I use seem to show it to me. And I searched for some kind of list of browsers that show this warning but there is no finite list that I can find. So this is awkward b/c I'm worrying and trying to avoid a thing that I've never seen. But I have thought of one solution.
My current idea on how to fix the image problem is to take images from users when they post a forum and write them to my disk, and provide the new image link. I am pretty sure this is exactly how google images stays https while showing millions of images from http sites. I think they write them all to their own server. Example:
So I think I have found a solution to the image problem but what about external links? Because when a user posts a link on their wall to https://stackoverflow.com/ for example I read the post and surround it with an anchor tag so technically to a browser wouldn't that be none secure content? Wouldn't that throw a warning?
How could I fix this and not annoy my users? And do you have a better solution to my image problem? Thank you all for reading through my confusion.
Links are generally OK. They don't generate any warning just by including them in the page. They can do when clicked: some browsers show a warning when a page navigates from HTTPS to HTTP. But in that case the default is "never show this warning again", so almost everyone will have clicked through it on the first day of browsing and will never see it again.
Detecting user-supplied image links, fetching them at post-time and then re-serving them will work, but it's quite a lot of work to go to (I don't think I've seen other forums doing it) and has some security caveats - for example you'd want to serve the images from a separate domain to avoid XSS content-sniffing problems (like Google do with gstatic.com), and set limits to avoid humungous images causing denial of service.
The remaining case would be iframe embeds, which some users may want to post for eg YouTube videos. Here you could restrict the iframe source to known-good services that support HTTPS.