If a web page that's only served over HTTPS tries to load data (e.g. JSON) that's only available over "insecure" HTTP, Chrome blocks the request with a message that "This page is trying to load scripts from unauthenticated sources".
Is there a meta tag that can be added to the HTML page to override this, allowing the data to be loaded?
This is up to the browser and user now. It's not something you should try to disable.
Here's what you can do:
Change your external URLs to https if the external servers support it
Copy external scripts and serve them from your local server, if possible
If the above are not possible, you will need to setup a reverse proxy and serve them from there. Ex. if external content is at http://external.com/script.js , then change the URL to https://me.com/proxy/external.com/script.js, and have your proxy grab the insecure content and return it as required.
Related
I have this one page which has an iframe inside of which a survey page is embedded, unfortunately i'm getting "Your connection is not secure" error inside the iframe. Does anyone know how to fix this issue? By the way, the website is SSL certified, not the page i'm trying include inside the iframe. Also this is a php site not wordpress.
Thanks
You are always going to have this problem when an HTTPS page references non secured content. You options are:
move the page hosting the iframe (and its associated content) outwith HTTPS. Although, in theory a HTTP page should be able to reference HTTPS hosted javascript, CSS and images without emitting warnings, this will probably vary by browser
move the survey page into HTTPS. I am guessing that you don't host this yourself - have you contacted the provider to ask if they can provide the service via HTTPS? Have you considered using a different provider?
proxy the HTTP survey page via your server - this would require some clever configuration on the webserver or terminating the SSL connection in front of a proxy operating in reverse mode for your service and rewriting/forwarding mode for the survey. Basically, if you don't control the infrastructure this is probably a non-starter.
re-implement the survey capability within your own site.
Bear in mind that as soon as your site is exposed outside of HTTPS it becomes vulnerable to more attacks.
.htaccess is not going to help - it overrides the behaviour within a vhost - the HTTP and HTTPS sites will operate in seperate vhosts.
I have managed to configure my Nginx (on top of Nodejs) to serve static files without the html extension (e.g. going to site.com/about serves the about.html page) - with help from these past questions: how to serve html files in nginx without showing the extension in this alias setup and https://serverfault.com/questions/346994/hide-html-file-extensions-using-nginx-rewrites
But I am unable to figure out how to set up Cloudflare page rules to work with this setup (the current page rules are setup to include static html files as well as js, css, etc.).
How do I configure cloudflare to serve the about.html page when the user goes to site.com/about, and also serve the team.html page when the user goes to site.com/about/team? Do I need to do anything special, or is the Nginx setup sufficient?
If CloudFlare caching of your static pages isn't required, there's no need for you do do anything, everything should work out of the box.
If you want CloudFlare to also cache those static pages, try setting up page rules to Cache Everything on your site:
Domain > Page Rules
Pattern: *site.com/*
Custom Caching > Cache everything
Once you setup the page rules, CloudFlare should cache your static pages and site.com/page1 should work. To clarify, your server is still serving the pages, not CloudFlare. With the page rules, you are simply instructing CF to cache what your server sends for site.com/page1, as opposed to fetching the page from your server for every visitor.
You can then add other Page Rules with higher priorities should you want to exclude certain endpoints from caching (e.g. an admin section). You won't need to do this if you're just hosting static HTML.
If this doesn't work, or if you need more control over what's being cached, check this CloudFlare support doc for more options.
Good luck!
I have joomla site and i set ssl on it. In some pages i have wrapper that load some form from another server.
When i used http it worked normal but after https it load too long and at the end show times out.
If i don not write any protocol in url and set
Add protocol - Yes
that time page loading normal but form blocks by browser.
link to page
What need to do load wrapper normal or how to exclude page from ssl
You are calling http content inside your web. This is the console output:
Mixed Content: The page at 'https://carzilla.az/ru/voditelyu/proverka-shtrafov' was loaded over HTTPS, but requested an insecure resource 'http://85.132.44.29/nex'. This request has been blocked; the content must be served over HTTPS.
Try changing http://85.132.44.29/nex to https://85.132.44.29/nex
Is maybe that your problem? This resource is blocked.
EDIT
Anyway, when calling the https URL, has no service.. then I think you will not be able to open that URL in a HTTPS situation.
This is not a programming question, it is a site administration question.
WHen you make the wrapper menu link, simply go to the metadata tab and tell it to make the link "not secure."
Here is my problem:
I have set magento to run under SSL setting the frontend secure option on admin to Yes
The site run under cloudflare
I set a page rule on cloudflare (according to the support instruction) that goes:
http://fabshopper.com/*
Always uses HTTPS
I'm using ultimo theme in magento
When I open the site in the browser it shows the HTTPS connection but most of the content is not load because the links are HTTP (including CSS, Script, images).
Ultimo theme is supposed to create link either HTTP or HTTPS according to the magento settings, but the link I'm getting are HTTP
I ran out off ideas :(
Can anyone give me an hint?
Thanks
I go through link provided by you and found many URLs loaded from insecure server. check below few of them:
The page at 'https://www.fabshopper.com/' was loaded over HTTPS, but displayed insecure content from 'http://www.fabshopper.com/skin/frontend/ultimo/fabshopper/images/fab_shopper.png': this content should also be loaded over HTTPS.
The page at 'https://www.fabshopper.com/' was loaded over HTTPS, but displayed insecure content from 'http://www.fabshopper.com/media/wysiwyg/autumn-cardigans.png': this content should also be loaded over HTTPS.
Just change the HTTP to HTTPS of all insecure urls and it will solve your problem.
I recently put my website under SSL. I've been able to adapt the website so that most of the content is under SSL, but some data, like Twitter avatars, are on an http website, so I'm receiving warnings, at least in Chrome.
Is there a policy in IIS to enable fetching non-ssl data from pages outside website's domain?
Is it depending on browser, on the source code, or on server settings?
If you insert direct HTTP links, the browser will complain (and this is correct). One of the options is to cache the data on your server and send it as "own" links for the server.
I believe it will, but the browser will complain about unsecured links usually.