Overview
This custom tag searches all images, scripts, and links throughout the webpage to locate non-https requests. Some secure pages may have mixed content i.e. images, video, or other content that is not secure. This tag also checks for unsecured downloads by looking for the URL format: http://...anything/...filename.pdf
. The existing script below looks for the following file types: PDF, CVS, PPT, DOC, DOCX, XLSX, XLS, TXT. Alter this section in the code below to include different extensions.
Under Variable Summary in the ObservePoint Data, select the Unsecured Content account to see the relevant variables.
page: Shows all the page URLs.
totalImages: Shows the total number of images on each URL.
totalLinks: Shows the total number of URLs
unsecureFiles: Shows the pages with unsecured files.
unsecureImages: Shows the pages with unsecured images.
unsecureLinks: Shows the pages with unsecured links.
unsecureScripts: Shows the pages with unsecured scripts.
unsecureImages.0-xx: Shows the pages where unsecured images are found and the name of the image files.
unsecureImages.Length: Shows the number of images found by page.
unsecureLinks.0-xx: Shows the page where the unsecured link is found and the name of the link.
unsecureLinks.length: Shows the number of links found by page.
unsecureScripts.0-xx: Shows the pages where unsecured scripts are found and the names of the script files.
unsecureScripts.length: Shows the number of scripts found by page.
To capture these details in an Audit or Journey, paste the snippet below into an Execute Action:
function opReqGetAsync(paramObject, acct, callback) {
var baseURL = "https://opreq.observepoint.com/?acct=" + acct;
var opReq = new XMLHttpRequest();
opReq.onreadystatechange = function() {
if (opReq.readyState == 4 && opReq.status == 200) {
callback(opReq.responseText);
}
}
opReq.open("POST", baseURL, true);
opReq.send(JSON.stringify(paramObject));
}
function unsecureContentCheck() {
var object = new Object(),
page = location.href,
allImgs = Object.keys(document.querySelectorAll('img[src]')).map(function(key) {
return document.querySelectorAll('img[src]')[key]
}),
allLinks = Object.keys(document.querySelectorAll('a[href]')).map(function(key) {
return document.querySelectorAll('a[href]')[key]
}),
allScripts = Object.keys(document.querySelectorAll('script[src]')).map(function(key) {
return document.querySelectorAll('script[src]')[key]
}),
regEx = /^https/,
regEx2 = /^(http:)+.+\.+(txt|cvs|ppt|pdf|doc|docx|xls|xlsx)$/,
unsecureFiles = [],
unsecureImgs = [],
unsecureLinks = [],
unsecureScripts = [];
for (var i = allImgs.length - 1; i >= 0; i--) {
if (allImgs[i].src.search(regEx) == -1) {
unsecureImgs.push(allImgs[i].src)
}
};
for (var i = allScripts.length - 1; i >= 0; i--) {
if (allScripts[i].src.search(regEx) == -1) {
unsecureScripts.push(allScripts[i].src)
}
};
if (location.href.search("https://") == -1) {
for (var i = allLinks.length - 1; i >= 0; i--) {
if (allLinks[i].href.search(regEx) == -1) {
unsecureLinks.push(allLinks[i].href)
}
};
for (var i = allLinks.length - 1; i >= 0; i--) {
if (allLinks[i].href.search(regEx2) == 0) {
unsecureFiles.push(allLinks[i].href)
}
};
}
object.page = location.href;
object.totalLinks = allLinks.length;
object.totalImages = allImgs.length;
unsecureLinks.length == 0 ? object.unsecureLinks = 'no unsecure links found' : object.unsecureLinks = unsecureLinks;
unsecureImgs.length == 0 ? object.unsecureImages = 'no unsecure images found' : object.unsecureImages = unsecureImgs;
unsecureFiles.length > 0 ? object.unsecureFiles = unsecureFiles : object.unsecureFiles = 'no unsecure files found';
unsecureScripts.length > 0 ? object.unsecureScripts = unsecureScripts : object.unsecureScripts = 'no unsecure scripts found';
opReqGetAsync(object, " Unsecured Content");
};
unsecureContentCheck();