I’m working on a project using a headless browser (Playwright) to test my website. The issue I’m facing is that I need all requests to be HTTP instead of HTTPS. This is because I’m using a reverse proxy in my development environment that points the hostname to localhost.
When I try to fetch data from my API in the headless browser, I get this error:
Error: Insecure content blocked - HTTPS page requested HTTP resource
Details: Page loaded securely, but tried to access 'http://myapi.test/v1/users?query=example'
Does anyone know how to make the headless browser allow HTTP requests, even when the page is loaded over HTTPS? I can’t switch to HTTPS for these requests due to my current setup.
Any help or workarounds would be greatly appreciated! Thanks in advance.
I’ve encountered a similar issue in my own development environment. One workaround I found effective is to configure the headless browser to ignore certificate errors and security warnings. In Playwright, you can achieve this by setting the ‘ignoreHTTPSErrors’ option to true when launching the browser context.
This approach allows mixed content (HTTP and HTTPS) to load without blocking. However, keep in mind that this should only be used in your development environment and never in production, as it can pose security risks. Another potential solution is to use a self-signed SSL certificate for your local development, allowing you to use HTTPS throughout your setup and avoid mixed content issues altogether.
I’ve dealt with this exact headache before. What worked for me was tweaking the Content Security Policy (CSP) headers in my development environment. You can set up your server to send a CSP header that allows mixed content, like this:
This tells the browser to treat all HTTP requests as if they were HTTPS. It’s a bit of a hack, but it gets the job done without messing with your browser settings or code. Just remember to remove this header before pushing to production, or you might open up some security vulnerabilities. And yeah, it’s not ideal, but sometimes you gotta do what you gotta do when you’re deep in development mode. Hope this helps!
have u tried using a self-signed certificate? it might solve ur problem without compromising security. you can generate one using openssl and add it to ur browser’s trusted certificates. this way, u can use https locally and avoid mixed content issues. just remember to remove it before going live!