Profile widget (even when loaded via https) causes mixed content vulnerability


#1

Hi there,

we love the profile widget (“Profile widget for My Website”) and use it within our application (https://unifyo.com) to show recent tweets of a contact inside Unifyo. However, it’s causing a mixed content vulnerability even though it’s loaded via https (https://widgets.twimg.com/j/2/widget.js).

Specifically, the css (http://widgets.twimg.com/j/2/widget.css), profile picture (in my case http://a0.twimg.com/profile_images/1644417223/BenFWirtz-handyelephant_normal.jpg ) and twitter icon (http://widgets.twimg.com/i/widget-bird.png) are loaded via http, which causes our application to fail some security reviews (e.g. for the Salesforce AppExchange).

How can we fix this?

Here the full implementation:

<div class="twitter-stream-container">
<script charset="utf-8" src="https://widgets.twimg.com/j/2/widget.js"></script>
<script>
new TWTR.Widget({
  version: 2,
  type: 'profile',
  rpp: 4,
  interval: 30000,
  width: 175,
  height: 300,
  theme: {
    shell: {
      background: '#F6F6F6',
      color: '#6F6F6F'
    },
    tweets: {
      background: '#F6F6F6',
      color: '#6F6F6F',
      links: '#242424'
    }
  },
  features: {
    scrollbar: false,
    loop: false,
    live: false,
    behavior: 'all'
  }
}).render().setUser(window.location.search.substring(2)).start();
</script>
</div>

#2

#3