I'm using Nginx + flask-socketio + aws elb and when the URL is loaded on https I'm getting the following error message which is something related to the Nginx and socket, please help on this,
socket.io.min.js:2 Mixed Content: The page at 'https://localhost/' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://localhost/socket.io/1/?t=1477375737508'. This request has been blocked; the content must be served over HTTPS.d.handshake # socket.io.min.js:2
socket.io.min.js:2 XMLHttpRequest cannot load http://localhost/socket.io/1/?t=1477375737508. Failed to start loading.
Take a look into your .js file, make sure that you are using the right ajax URL (//your_site.com/handler, instead of http://your_site.com/handler), for instance:
$.ajax({
url:'//your_site.com/handler',dataType:'json',type:'get',
success: function(data){...},
complete:function(xhr, textStatus){...}
});
Mixed Content is a security policy employed by current browsers, and its goal is to prevent leaking information fetched over "secure" HTTPS to non-secure contexts. Therefore, a site served with HTTPS must use HTTPS or other TLS-enabled protocols to fetch content.
The URI prefix for Websockets over TLS is wss, and for plain Websockets ws. At least Chromium and Firefox consider https+ws mixed content, and deny such setting - therefore wss should be used as the URI prefix in secure/HTTPS contexts instead of ws.
Related
Background
I was making a browser extension that sends a POST request to http://ip.v4.ad.dr/somephp.php which does some data handling based on the POSTed data. This extension is supposed to function on the site https://meet.google.com/.
Problem
My problem arises because I am sending from https to http, so my request is blocked and this error appears:
Mixed Content: The page at 'https://meet.google.com/mym-eets-url?authuser=x' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://ip.v4.ad.dr/somephp.php'. This request has been blocked; the content must be served over HTTPS.
Please note that those are fake URLs. They are just there to signify that this is what the URL looks like, not what it is. mym-eets-url is My Meet's URL, and ip.v4.ad.dr is IPv4 Address
Attempts to solve
I have thought of:
Making/using some site that reflects the request to the target URL. I do not think this works since that mirror site may block the request, since it is https.
Making my localhost use https. I am pretty sure this will work, but I don't want to use https simply because the request won't send otherwise. I can try doing this if there isn't any other option.
Question
What is the best way to send a request from a https site to my own http://ip.v4.ad.dr/ server?
I have moved my Joomla website from one hoster to another and on the new hoster I get:
Blocked loading mixed active content "http://mywebsite.com/joomla/media/jui/css/bootstrap.css"
I understand the reason: I use https, and browser detects a http call.
But how do I fix this?
You change the source of your https website to point to the https version
If you can't, you can fix it for moden browsers with that http header:
Content-Security-Policy: upgrade-insecure-requests
See https://scotthelme.co.uk/migrating-from-http-to-https-ease-the-pain-with-csp-and-hsts/
Note: to improve security, you should use HSTS. It will redirect http to https directly in the browser, without insecure redirect.
Specifically about joomla:
Did you set
$live_site = 'https://www.your-domain.com';
in your configuration.php file ?
See https://www.joomlart.com/tutorials/joomla-tutorials/how-to-use-ssl-in-a-joomla-site
Trying to upload a media (video / image) for iphone and android, from one domain using HTTPs to another HTTP. Cant change both to a single protocol as both have different environments which cant be changed apparently.
Everything's working fine on iOS but Android is not doing the uploading thing.
Getting following error on Android chrome :
Mixed Content: The page at 'https://*****' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://*****'. This request has been blocked; the content must be served over HTTPS.
When the main page is https, then insecure (http) request are mostly blocked.
The best way to avoid mixed content errors is to use https for everything.
I recently installed SSL from CloudFlare Flexible SSL but when I use https it doesn't seem to load image and CSS assets.
I already disabled hotlink protection.
Here are some images to illustrate the difference:
Using https: http://gyazo.com/ef6ccb13c2c8f3f797dcb2d947a772cb
Not using https: http://gyazo.com/be277259e0dcc8e395316b573de12935
Thankful for help!
A look at the browsers console shows lots of messages like this:
Mixed Content: The page at 'https://hornetvault.com/' was loaded over HTTPS, but requested an insecure stylesheet 'http://www.hornetvault.com/templates/fresh/assets/css/styles.css'. This request has been blocked; the content must be served over HTTPS.
Which means you try to load resources using http:// inside a https:// site and these resources get blocked. You need to load these resources by https:// too. You might try to simple use // instead of explicitly given http:// or https:// in your URLs, in which case it will simply use the same scheme (http or https) as the page itself.
How can you determine the current request URL if using off box SSL termination?
E.g.
Browser has url httpS://yourserver/
SSL Termination decrypts and sends onto http://yourserver
IIS/ASP.NET receives request at http://yourserver
At (3) if you use Context.Request.Url, Page.Request.Url or Page.Request.RawUrl it show a url with a http protocol and not httpS
How do get the public httpS URL that was origionally used at (1) in this case?
The convention used for Microsoft Products is to add a header at the reverse proxy.
Front-End-Https : On
So you know the http url is really https.
You could also add in your own header containing the original URL if you did something like URL translation (e.g. something like "Original-Uri").
This page shows how to do this using IIS AAR as the reverse proxy, though in my testing I could only get headers to pass through if they are prefixed with HTTP_ (which is later stripped out).