I know that if you access an HTTP resource within an HTTPs page, most browsers will warn you. Are there any issues regarding loading a resource across HTTPS from foo.com when the page is served on bar.com?
For example, assume the following page comes from https://www.bar.com/index.html:
<html>
<script src="https://somescript.foo.com/foo.js"></script>
</html>
No, there are no issues.
This is common practice in PayPal shopping carts, where PayPal includes the user's logo from a 3rd party site via https://
Related
I've been having this error in Chrome Developer Tools for a while and I just can't seem to find the insecure http:// request. It points to my domain but without https://. http://www.example.com/ is not a script so I don't understand where it's coming from.
Mixed Content: The page at 'https://www.example.com/categoy/a-product.html'
was loaded over HTTPS, but requested an insecure script 'http://www.example.com/'. This request has been blocked;
the content must be served over HTTPS.
Mixed Content: The page at 'https://www.example.com/categoy/a-product.html'
was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://www.example.com/'.
This request has been blocked; the content must be served over HTTPS.
Thanks
I had a similar issue. Is the page you are hosting a single page application with HTML5/history/push-state routing?
This type of routing goes by many names, but what it does is replace your hash-based url https://address.com/page/#client/side/route with regular routes such as https://address.com/page/client/side/route. When the files are hosted with a static file server, the file server may not know about the client-side routing and return a 404 instead of routing everything to index.html. Apparently, this can lead to the problem you described in Chrome even though the page might appear to work.
In short, many static file hosting tools are not suitable to serve a SPA with HTML5 routing, notably http-server (https://github.com/indexzero/http-server/issues/80). Try a different tool (e.g. serve) or use nginx with try_files $uri $uri/ index.html.
This means your web page is being accessed over https, but it uses resources that are served over http. Modern browsers like Chrome consider this as a security risk. The browser does not load the http resources and shows a warning in the developers console.
The solution is to change the protocol method from http to https for all resources that are being accessed over http.
See this link: https://developers.google.com/web/fundamentals/security/prevent-mixed-content/fixing-mixed-content#alternatives_to_csp
I'm new to ssl setup and I was fallowing a tutorial on how to setup a node.js application with nginx and a ssl certification
"The tutorial":
https://code.lengstorf.com/deploy-nodejs-ssl-digitalocean/?utm_source=nodeweekly&utm_medium=email
Everything went well and I'm able to access the site via https but in Chrome at the right sidebar I can see this warning (This page is trying to load scripts from unauthenticated sources)
any idea of what may be?
This means that you have some HTTP links in <script> tags in your HTML.
You need all your links in HTML to be HTTPS (scripts, images, styles etc.)
Those could be links to libraries like jQuery, some analytics scripts or even your own scripts on your own page that get loaded with <script src="http://...">
For example, if you have something like this in HTML:
<script src="http://cdnjs.cloudflare.com/ajax/libs/jquery/3.1.1/jquery.js">
</script>
Change it to:
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.1.1/jquery.js">
</script>
This is also possible, but less likely, that you have some scripts that are requested over HTTPS but the requests get redirected to HTTP. Open the browser's developer console and see which requests for which files are causing those warnings and find out where they are referenced in the HTML that the browser is getting.
Question
I would like to understand why my CSS resources are not loaded on my personal Github IO page tobias-schmidt.site.
Issue
When I acess my page via the custom dns tobias-schmidt.site or via the direct github dns mrtobe.github.io the site correctly loads the index.html but not the referenced CSS files. When I click on the blog post it does correctly load the CSS. Then for this surfing session the CSS is also available on the index.html.
Setup
dns from GoDaddy with A-Record setup for tobias-schmidt.site - this dns was added in the settings of the github repo
Website is generated with hugo - full project is hosted under https://github.com/mrtobe/mrtobe-hugo - ./deloy.sh is used to deploy the page
Hugo generates a static website that is hosted here https://github.com/mrtobe/mrtobe.github.io
Best guess
I checked different posts and found that it might be mixed content, but I have no idea on how to solve this with github pages.
You have a SSL certificate problem.
tobias-schmidt.site uses an invalid security certificate.
The certificate is only valid for the following names: *.github.com, github.com, *.github.io
Error code: SSL_ERROR_BAD_CERT_DOMAIN
Github pages doesn't provide HTTPS for custom domains.
When you access https://tobias-schmidt.site github pages server is sending his certificate which is not valid for your domain and browser are blocking request until you agree using this certificate.
For now, in conf.toml, you have to set baseurl = "http://tobias-schmidt.site". This in order to have hugo craft http urls.
In a second time, you can try to secure you site with services like cloudflare or have a look at Netlify.
I have this one page which has an iframe inside of which a survey page is embedded, unfortunately i'm getting "Your connection is not secure" error inside the iframe. Does anyone know how to fix this issue? By the way, the website is SSL certified, not the page i'm trying include inside the iframe. Also this is a php site not wordpress.
Thanks
You are always going to have this problem when an HTTPS page references non secured content. You options are:
move the page hosting the iframe (and its associated content) outwith HTTPS. Although, in theory a HTTP page should be able to reference HTTPS hosted javascript, CSS and images without emitting warnings, this will probably vary by browser
move the survey page into HTTPS. I am guessing that you don't host this yourself - have you contacted the provider to ask if they can provide the service via HTTPS? Have you considered using a different provider?
proxy the HTTP survey page via your server - this would require some clever configuration on the webserver or terminating the SSL connection in front of a proxy operating in reverse mode for your service and rewriting/forwarding mode for the survey. Basically, if you don't control the infrastructure this is probably a non-starter.
re-implement the survey capability within your own site.
Bear in mind that as soon as your site is exposed outside of HTTPS it becomes vulnerable to more attacks.
.htaccess is not going to help - it overrides the behaviour within a vhost - the HTTP and HTTPS sites will operate in seperate vhosts.
Since 1st Oct is coming. I am working on Secure Canvas URL stuff.
My canvas url is like canvas.example.com. I can make this domain and server SSL ready without a problem.
My question is, should every http request made by canvas.example.com also change to https?
e.g. I import some JS, CSS, images from cdn.example.com to my canvas page, should i configure cdn.example.com alos can be accessed via https, or I can just leave this domain alone, still use http to get those content?
thank you very much.
You should make all content served over https or the browser will show warnings.
Facebook policies clearly mention that all the Page Tabs and iFrame Applications shal have an SSL certificate..
Any external content like images and JS included on your site shall also come from secured hostings hence the Https:// else your shall not be complying to FB Policies..
Gives the fact that FB has been very strict on punishing defaulters i dont think any app developer can take risk ..