The Question is: Can I setup some kind of SSL exception in WordPress 4.9.8 to permit the linking to an insecure resource…?
Extremely unlikely, and in the vast majority of the cases, impossible. The methods used could also introduce major security issues, and in the worst case scenario, make the domain completely unusable in a non-fixable way.
Here’s an FAQ:
Q:…. in WordPress…
No. WordPress has nothing to do with this, and has no power over this. It might be able to send security headers and that is the only thing it can do, but if your server already does this then no, it can’t help
Q: Can I make the browsers report everything is ok and remove the mixed content warnings?
No.
In fact, browser vendors are clamping down on this, going as far as to say “insecure” when http is used
Q: My site was added to HSTS preload
No, it is impossible. If there was something you could do, and you did it, your site would be inaccessible to all. This is a great way to destroy your incoming traffic, and if you’re not careful you could make the entire domain inaccessible, permanently, with no way to unfix it
Q: So You Mentioned Security Headers and WP?
If you do not have HSTS enabled, you could make this sort of work using security policy headers, however:
- If HSTS is turned on at the moment, this will only work for new visitors, never old ones
- If HSTS has been preloaded ( great for performance and security ), this will never work, and break the site. Browsers will treat it as super suspicious
- If any plugin or theme sends out these headers, that will need undoing
- If Nginx/Apache send out those headers, it will need undoing
- Be extremely wary of expiration times
Then, you would use content security policies. Keep in mind this is one of those rare situations were making a mistake may make your domain completely unusable to all people, even if you then undo the mistake. If you mess up, the only way to fix it is a rebrand or a new domain name.
Keep in mind that I would put your chances of being able to do this at 2-5%, with a very poor reliability.
The only method available with any decent reliability, is a proxy that rewrites the http to https and swaps the domain out on the fly, then redirects the requests. This would get you what you want, but the effort involved is very high, and prone to breaking if the original vendor ever changes how their embed works
360° virtual tour to departments in sale
Or, adding TLS support to the tour vendor, or finding an alternative vendor. No doubt this is going to impact their business going forwards