Summary

Acunetix 360 detected that a URL uses HTTP whitelisted through a CSP declaration within an HTTPS page.

Impact

If the HTTPS page includes content retrieved through regular, cleartext HTTP, then the connection is only partially encrypted. The unencrypted content is accessible to sniffers.

A man-in-the-middle attacker can intercept the request for the HTTP content and also rewrite the response to include malicious JavaScript code. Malicious active content can steal the user's credentials, acquire sensitive data about the user, or attempt to install malware on the user's system (by leveraging vulnerabilities in the browser or its plugins, for example), and therefore the connection is not safeguarded anymore.

Remediation

Do not whitelist a domain loaded over HTTP.

Severity

Information

Classification

CWE-319 ISO27001-A.14.2.5