Browsers try their best to protect users from the evils of the internet, but some times their eager kills good use cases all the same. The “mixed content warning” that IE and Firefox throws when you reference a non-SSL asset from an SSL page is one of those cases.

The problem is that browsers don’t like caching SSL content. So when you have an image or a style sheet on SSL, it’ll generally only be kept in memory and may even be scrubbed from there if the user is low on RAM (though you can kinda get around that).

Even when you do your best to limit the number of style sheets and javascript files and gzip them for delivery, it’s still mighty inefficient and slow to serve them over SSL every single time the user comes back to your site. Even when nothing changed. HTTP caching was supposed to help you with that, but over SSL it’s almost all for naught.

Now I understand why SSL content is not kept on a disk cache. You don’t want the financial-results-2008.png lying around on a public computer that you thought was safe to use because of SSL.

This is why it would be ever so wonderful if you could refer to a non-SSL asset from an SSL page. That way you could say “this stuff is private, don’t share it” when serving over SSL and at the same time take advantage of HTTP caching for things that pose no security risk, like drag_handle.gif.

But oh no. If you try to do that with IE, you’ll get a “mixed content warning” that’ll scare the bejesus out of your users, so that won’t go. On Firefox, you’ll often (depending on settings) get the same warning if you try to serve JavaScript or style sheets like that.

Only Safari stands out as the hero with no mention of “mixed content warning”. So please, IE and Firefox, can you learn from Safari and kill it too? Then we wouldn’t have to adjust our asset rules depending on the user agent and everyone would be able to enjoy the extra speed of properly caching assets.

Note: There’s a reasonable argument for warning on JavaScript includes as man-in-the-middle attacks can do nasty things, but that’s not true for CSS (on anything but IE) or images