Trying to upload a media (video / image) for iphone and android, from one domain using HTTPs to another HTTP. Cant change both to a single protocol as both have different environments which cant be changed apparently.
Everything's working fine on iOS but Android is not doing the uploading thing.
Getting following error on Android chrome :
Mixed Content: The page at 'https://*****' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://*****'. This request has been blocked; the content must be served over HTTPS.
When the main page is https, then insecure (http) request are mostly blocked.
The best way to avoid mixed content errors is to use https for everything.
Related
I'm using Nginx + flask-socketio + aws elb and when the URL is loaded on https I'm getting the following error message which is something related to the Nginx and socket, please help on this,
socket.io.min.js:2 Mixed Content: The page at 'https://localhost/' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://localhost/socket.io/1/?t=1477375737508'. This request has been blocked; the content must be served over HTTPS.d.handshake # socket.io.min.js:2
socket.io.min.js:2 XMLHttpRequest cannot load http://localhost/socket.io/1/?t=1477375737508. Failed to start loading.
Take a look into your .js file, make sure that you are using the right ajax URL (//your_site.com/handler, instead of http://your_site.com/handler), for instance:
$.ajax({
url:'//your_site.com/handler',dataType:'json',type:'get',
success: function(data){...},
complete:function(xhr, textStatus){...}
});
Mixed Content is a security policy employed by current browsers, and its goal is to prevent leaking information fetched over "secure" HTTPS to non-secure contexts. Therefore, a site served with HTTPS must use HTTPS or other TLS-enabled protocols to fetch content.
The URI prefix for Websockets over TLS is wss, and for plain Websockets ws. At least Chromium and Firefox consider https+ws mixed content, and deny such setting - therefore wss should be used as the URI prefix in secure/HTTPS contexts instead of ws.
I have my meteor app running on cloud9. I have AdminLTE installed. When running the app on my local host, all is well. Running on cloud9-IDE I get the following browser error related to the AdminLTE package:
Mixed Content: The page at 'https://app-user.c9users.io/'
was loaded over HTTPS, but requested an insecure stylesheet
'http://0.0.0.0:8080/packages/mfactory_admin-lte/css/AdminLTE.min.css'.
This request has been blocked; the content must be served over HTTPS.
'http://0.0.0.0:8080/packages/mfactory_admin-lte/css/skins/skin-green.min.css'.
This request has been blocked; the content must be served over HTTPS.
How can I correct this? I red somewhere that I has to do with accessing http over https. I'm a bit clueless when it comes to https. Any ideas?
Found the solution. The environment variable must be forced.
Thus to run the app:
ROOT_URL="https://app-username.c9users.io/" meteor --port $IP:$PORT
I've used the following information to get mod_pagespeed to inject the GA scripts into my pages:
https://developers.google.com/speed/pagespeed/module/filter-insert-ga
Unfortunately we have a reverse proxy setup where the browser requests the page over HTTPS but the server injects the content as HTTP.
Here is the Chrome browser error:
[blocked] The page at 'https://*' was loaded over HTTPS, but ran
insecure content from 'http://www.google-analytics.com/ga.js': this
content should also be loaded over HTTPS.
I need this module to use the correct protocol when injecting the script i.e. https:// www.google-analytics.com/ga.js (Sorry for the broken URL I can't post more than 2 links)
We don't have an answer yet, but you can track progress of this bug here: https://code.google.com/p/modpagespeed/issues/detail?id=877
You are going to run into this issue a lot. Try fixing the proxy/server so it correctly identifies the end-user connection as SSL. Most Load Balancers inject a header and have an apache mod to read the header for you.
I have a simple question, but can't find the answer that I'm looking for.
Is a http iframe that's loaded on a secure https page also secured?
A iframe with http source will not be displayed on a https website as it's considered mixed content and browsers like Chrome will block the content with the following message:
Mixed Content: The page at 'your website' was loaded over HTTPS,
but requested an insecure resource 'iframe http source '. This
request has been blocked; the content must be served over HTTPS.
So far I have not seen a solution to allow mixed content.
There has been a solution for Firefox which is based on redirecting the iframe source via another website that is hosted on the HTTPS Domain.
It is not automatically, you should verify if the src of your iframe is connecting via https or not:
<iframe src="http://www.example.com"></iframe>
your iframe doesn't extend the https access from principal page.
I'm thinking about my website architecture that's using https.. I now have a CDN server hosting images , css and more static files.
The website itself is using HTTPS for securing sensitive costumer data. Will using the static images , loaded by for example 'http://cdn.example.com/images/test.jpg' on a website 'https://www.example.com' popup a "Loading insecure data" message?
So loading external NOT SECURED data on a SECURED website.
Will this be causing a popup warning "Loading insecure data, continue?"?
Thx!
Yes.
If a page is loaded over HTTPS then every resource it uses should also be loaded over HTTPS.
Otherwise a man-in-the-middle could replace images with misleading ones (or ones that exploit buffer overflow issues in browsers to execute code) and scripts with ones that do different things (such as leak data to the third party).
You have to load every resource over https to get rid of that warning. You can either move the resources to your server that supports encryption, or link to an external resource over https.
If you really want to load http content in https, you can follow this method using a backend handler in charge of downloading and exposing the required content with self forged links including a hash. The security issue is then fixed and you get the content accessible through https.
Dealing with HTTP content in HTTPS pages
I did this recently.
I have a raspberry pi loaded with nginx, and PHP.
I us Https to handle requests from the web to the PHP code which in turn sends http requests to my local network to assemble the page. Works well.