Catch mixed content issues in the wild
Switch branches/tags
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
bin function needs to be called for url's actual value Feb 1, 2018
.gitignore Improve CLI Sep 14, 2017
LICENSE Polish CLI Sep 14, 2017
README.md Update CLI help output Sep 15, 2017
TODO Add README Sep 14, 2017
config.json Update CLI help output Sep 15, 2017
demo.gif Update README Sep 14, 2017
package-lock.json Bump to 1.0.6 Feb 27, 2018
package.json Bump to 1.0.6 Feb 27, 2018
yarn.lock Upgrade dependencies Jan 18, 2018

README.md

mcdetect - catch mixed content issues in the wild

NPM version

mcdetect is a tool that detects mixed content issues with certainty.

mcdetect demo

Motivation

Tools used to catch mixed content issues often rely on parsing the DOM to determine if insecure content will be loaded in a specific page. Consequently they may report false negatives since not all such issues can be detected statically.

mcdetect can determine with absolute certainty if any mixed content errors or warnings actually occur on a page. It does this by visiting the pages and evaluating their Javascript like a regular browser would do. In other words, it does not report false negatives.

It does this by leveraging Headless Chrome that shipped with Chrome 59 and the DevTools Protocol.

Requirements

  • Node 7.6.0 or later

Installation

$ npm install -g mcdetect

Usage

Checking a single target page:

$ mcdetect https://example.com https://google.com

Checking multiple targets (if no protocol is specified, it is assumed to be "https://"):

$ mcdetect example.com google.com

Multiple targets can also be given via a config file:

$ cat my_urls.json
{
  "targets": [
    "googlesamples.github.io/web-fundamentals/fundamentals/security/prevent-mixed-content/xmlhttprequest-example.html",
    "googlesamples.github.io/web-fundamentals/fundamentals/security/prevent-mixed-content/passive-mixed-content.html"
  ]
}

$ mcdetect --config my_urls.json

For more usage examples and options see mcdetect --help.

TODO

  • Add scraping mode (with max depth)
  • More output formats (eg. json, csv, pdf)
  • error handling (modes: exit on error, ignore errors, report errors)
  • interactive mode
  • follow redirects
  • read targets from stdin

License

mcdetect is licensed under MIT. See LICENSE.