I've been having this error in Chrome Developer Tools for a while and I just can't seem to find the insecure http:// request. It points to my domain but without https://. http://www.example.com/ is not a script so I don't understand where it's coming from.
Mixed Content: The page at 'https://www.example.com/categoy/a-product.html'
was loaded over HTTPS, but requested an insecure script 'http://www.example.com/'. This request has been blocked;
the content must be served over HTTPS.
Mixed Content: The page at 'https://www.example.com/categoy/a-product.html'
was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://www.example.com/'.
This request has been blocked; the content must be served over HTTPS.
Thanks
I had a similar issue. Is the page you are hosting a single page application with HTML5/history/push-state routing?
This type of routing goes by many names, but what it does is replace your hash-based url https://address.com/page/#client/side/route with regular routes such as https://address.com/page/client/side/route. When the files are hosted with a static file server, the file server may not know about the client-side routing and return a 404 instead of routing everything to index.html. Apparently, this can lead to the problem you described in Chrome even though the page might appear to work.
In short, many static file hosting tools are not suitable to serve a SPA with HTML5 routing, notably http-server (https://github.com/indexzero/http-server/issues/80). Try a different tool (e.g. serve) or use nginx with try_files $uri $uri/ index.html.
This means your web page is being accessed over https, but it uses resources that are served over http. Modern browsers like Chrome consider this as a security risk. The browser does not load the http resources and shows a warning in the developers console.
The solution is to change the protocol method from http to https for all resources that are being accessed over http.
See this link: https://developers.google.com/web/fundamentals/security/prevent-mixed-content/fixing-mixed-content#alternatives_to_csp
Related
I have install on VPS a nodejs server with react front.
I buy comondo SSL, fix both server and domain and after that if i call http it shows Mixted type error.
SSL checker gives A grade to SSL. I use https.create to create the node server. Also postman gives correct result for http://example.com/5000/posts.
Mixed Content: The page at 'https://example.com/' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://example.com:5000/posts'. This request has been blocked; the content must be served over HTTPS.
How i can fix this error ? Its axios , node or SSL problem ?
in the first step, you have to know what's the mean by Mixed Content, quoted from web.dev:
Mixed content occurs when initial HTML is loaded over a secure HTTPS
connection, but other resources (such as images, videos, stylesheets,
scripts) are loaded over an insecure HTTP connection. This is called
mixed content because both HTTP and HTTPS content are being loaded to
display the same page, and the initial request was secure over HTTPS.
to solve this problem, you must serve your API under SSL protocol.
I have this one page which has an iframe inside of which a survey page is embedded, unfortunately i'm getting "Your connection is not secure" error inside the iframe. Does anyone know how to fix this issue? By the way, the website is SSL certified, not the page i'm trying include inside the iframe. Also this is a php site not wordpress.
Thanks
You are always going to have this problem when an HTTPS page references non secured content. You options are:
move the page hosting the iframe (and its associated content) outwith HTTPS. Although, in theory a HTTP page should be able to reference HTTPS hosted javascript, CSS and images without emitting warnings, this will probably vary by browser
move the survey page into HTTPS. I am guessing that you don't host this yourself - have you contacted the provider to ask if they can provide the service via HTTPS? Have you considered using a different provider?
proxy the HTTP survey page via your server - this would require some clever configuration on the webserver or terminating the SSL connection in front of a proxy operating in reverse mode for your service and rewriting/forwarding mode for the survey. Basically, if you don't control the infrastructure this is probably a non-starter.
re-implement the survey capability within your own site.
Bear in mind that as soon as your site is exposed outside of HTTPS it becomes vulnerable to more attacks.
.htaccess is not going to help - it overrides the behaviour within a vhost - the HTTP and HTTPS sites will operate in seperate vhosts.
We have put up a varnish server in from of IIS.
We configured IIS to serve non SSL traffic to Varnish and then NGINX proxies everything for us in SSL (rewrites non SSL traffic to SSL) from Varnish local proxy.
Everything seems to work fine except for a few of those webresource scripts.
In the HTML the script tag is as follows. Using a relative path like my other scripts, ie jQuery, which load fine.
<script src="/ScriptResource.axd?d=6uPUkgsnuI6bNNqsGNPwyYxfMKrscMZRBRF2qryQunH79WGeJKinT5LSOz4dgI3pMcYvAuAL2CF8edx8jqS5kzCUSBNhkgtxn779pz4r4s4-EUnJ08DyzAMEVy9czI-nbL_zTBJ0Y-62dvqDT5tm7XxUtSCilM9esKhQq3SfIxM1&t=ca758f3" type="text/javascript">
But then all browsers are saying the content is loaded from non secure and blocked
Chrome's request headers
I did a fiddler to see what is going on. It seems like there is a redirect 301 on the script, form http to https.. ok, both load
But why on earth are browsing trying to load the scripts from http:// is the script tag is set to relative?
This only happens on these 3 webresouce files, all other scripts, non WebForm load just fine
I have joomla site and i set ssl on it. In some pages i have wrapper that load some form from another server.
When i used http it worked normal but after https it load too long and at the end show times out.
If i don not write any protocol in url and set
Add protocol - Yes
that time page loading normal but form blocks by browser.
link to page
What need to do load wrapper normal or how to exclude page from ssl
You are calling http content inside your web. This is the console output:
Mixed Content: The page at 'https://carzilla.az/ru/voditelyu/proverka-shtrafov' was loaded over HTTPS, but requested an insecure resource 'http://85.132.44.29/nex'. This request has been blocked; the content must be served over HTTPS.
Try changing http://85.132.44.29/nex to https://85.132.44.29/nex
Is maybe that your problem? This resource is blocked.
EDIT
Anyway, when calling the https URL, has no service.. then I think you will not be able to open that URL in a HTTPS situation.
This is not a programming question, it is a site administration question.
WHen you make the wrapper menu link, simply go to the metadata tab and tell it to make the link "not secure."
I recently put my website under SSL. I've been able to adapt the website so that most of the content is under SSL, but some data, like Twitter avatars, are on an http website, so I'm receiving warnings, at least in Chrome.
Is there a policy in IIS to enable fetching non-ssl data from pages outside website's domain?
Is it depending on browser, on the source code, or on server settings?
If you insert direct HTTP links, the browser will complain (and this is correct). One of the options is to cache the data on your server and send it as "own" links for the server.
I believe it will, but the browser will complain about unsecured links usually.