Profile widget (even when loaded via https) causes mixed content vulnerability


Hi there,

we love the profile widget (“Profile widget for My Website”) and use it within our application ( to show recent tweets of a contact inside Unifyo. However, it’s causing a mixed content vulnerability even though it’s loaded via https (

Specifically, the css (, profile picture (in my case ) and twitter icon ( are loaded via http, which causes our application to fail some security reviews (e.g. for the Salesforce AppExchange).

How can we fix this?

Here the full implementation:

<div class="twitter-stream-container">
<script charset="utf-8" src=""></script>
new TWTR.Widget({
  version: 2,
  type: 'profile',
  rpp: 4,
  interval: 30000,
  width: 175,
  height: 300,
  theme: {
    shell: {
      background: '#F6F6F6',
      color: '#6F6F6F'
    tweets: {
      background: '#F6F6F6',
      color: '#6F6F6F',
      links: '#242424'
  features: {
    scrollbar: false,
    loop: false,
    live: false,
    behavior: 'all'