Why do browsers warn about mixed content for images?

I would assume your reasoning is something like, "If the person constructing the page chose to send some of its images insecurely, then the browser should respect that this decision was done for a reason and allow it without a warning. The page is as secure as the entity providing it wanted it to be."

By contrast, the reasoning of the browser developers is something like, "We are putting a secure icon on the page as seen by the user and the user should be able to assume that means the whole page is secure. If some part of it isn't, the user deserves to know that."

Both arguments are valid, they're just different interpretations of what it means for a web page to be secure.

There are specific risks with images too. The image is requested in the clear using the HTTP protocol. This discloses any information in the URL or headers. The most serious threat is that the image could contain instructions or information that the user would assume securely originated from the site the user chose. This could be used for phishing attacks.


The browser doesn't know what type of information an image or other resource is supposed to convey: perhaps it's just a logo, or perhaps it's some piece of UI, or perhaps the image is the whole point of the page you're visiting. There's no way for the browser to know whether a resource is important or not to the user.

When the primary (page) URL is loaded with HTTPS, then the browser signals to the user that the page being viewed is secure, usually with a lock icon, or green URL bar, or something like that. It doesn't say, "this page is secure except for that one image there" -- there simply isn't a mechanism to indicate to the viewer which parts are the insecure parts. So instead the resolution is that if the browser says that the page is secure, then ALL elements on the page must be secure, or the user has to be notified of the exception.

Note that viewing an insecure URL with a few secure elements generates no notifications or warnings, but at the same time there is no signaling to the user that there is any measure of security on the page. Since there is no expectation of security, the presence of mixed content is not noteworthy.


Short answer: lack of semantic information

Long answer

In a forum, the user naturally expects stuff to come from "unauthorised" third parties (any registered user, could be anyone really), not only from the webmaster (and authorised authors).

The user fully understands that messages do not represent the webmaster opinion, and are not "authorised" in any way by the owner of the domain. For any reasonable user, there is no strong particular expectation regarding the content of messages appearing in the web-page, or for images included in such messages (there is a weak expectation that scum is removed on a timely basis, but before it is removed it can be seen by anyone).

But a web-browser does not understand what a forum is. The https://example.com/ page is expected to be trusted to come from example.com and to securely (as in transport security) represent example.com web-master opinion, and any big enough insecure image (in particular IMG without an explicit size) could be used to show a big warning that

Your account is suspended. You must go to http://fakesite-example.com/ to confirm it. If you don't, your account may be permanently deleted.

rendered as an image.

Of course, in a forum message it would be taken as representing the post author opinion by the user, but the web-browser cannot know that.