I have my meteor app running on cloud9. I have AdminLTE installed. When running the app on my local host, all is well. Running on cloud9-IDE I get the following browser error related to the AdminLTE package:
Mixed Content: The page at 'https://app-user.c9users.io/'
was loaded over HTTPS, but requested an insecure stylesheet
'http://0.0.0.0:8080/packages/mfactory_admin-lte/css/AdminLTE.min.css'.
This request has been blocked; the content must be served over HTTPS.
'http://0.0.0.0:8080/packages/mfactory_admin-lte/css/skins/skin-green.min.css'.
This request has been blocked; the content must be served over HTTPS.
How can I correct this? I red somewhere that I has to do with accessing http over https. I'm a bit clueless when it comes to https. Any ideas?
Found the solution. The environment variable must be forced.
Thus to run the app:
ROOT_URL="https://app-username.c9users.io/" meteor --port $IP:$PORT
Related
When trying to run a request through swagger UI, I receive the following response on Swagger
TypeError: Failed to fetch
After searching around, I found that a possible cause of this error is because of a CORS issue, where the origin is changed in the request (as you can see at this other post here). However, in my case, this is not running through some other proxy, it is hosted on a locally hosted server and that server is not changing any of the headers. I realized this when I tried to allow the API to just accept any CORS headers to test if this was the issue; sadly it was not and the issue persisted.
The API is running on IIS hosted on a server that is hosted locally. The API is running as an application on the default website and is accessed via the following url:
http://servername/application-name/swagger/index.html
Can anyone help with this issue?
After further investigation, I found that when I looked at the requests being sent to the server through the dev tools on the browser, that the URL was being changed from http to https on the request of the endpoint through swagger.
HTTPS, has not been set up on the server and returns a 404 (as seen in the dev tools).
It turns out, that even though the server has not been setup to serve content via HTTPS, the requests where still redirected to HTTPS and this was the reason
app.UseHttpsRedirection();
So, even though swagger was able to be loaded on HTTP, when the request was made to the API, the API responded with a 307 - for redirection and the request was redirected to HTTPS - which in turn returned 404. This 404 response was the cause the TypeError: Failed to fetch
The recommended fix for this is to turn off https redirection (ONLY FOR TESTING PURPOSES) and the other is to enable the server to serve the content correctly over HTTPS, so that when a call is made, it is not redirected, but rather sent straight to the correct API address on HTTPS - which should not return the data correctly, since the server can serve HTTPS content
I'm using Nginx + flask-socketio + aws elb and when the URL is loaded on https I'm getting the following error message which is something related to the Nginx and socket, please help on this,
socket.io.min.js:2 Mixed Content: The page at 'https://localhost/' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://localhost/socket.io/1/?t=1477375737508'. This request has been blocked; the content must be served over HTTPS.d.handshake # socket.io.min.js:2
socket.io.min.js:2 XMLHttpRequest cannot load http://localhost/socket.io/1/?t=1477375737508. Failed to start loading.
Take a look into your .js file, make sure that you are using the right ajax URL (//your_site.com/handler, instead of http://your_site.com/handler), for instance:
$.ajax({
url:'//your_site.com/handler',dataType:'json',type:'get',
success: function(data){...},
complete:function(xhr, textStatus){...}
});
Mixed Content is a security policy employed by current browsers, and its goal is to prevent leaking information fetched over "secure" HTTPS to non-secure contexts. Therefore, a site served with HTTPS must use HTTPS or other TLS-enabled protocols to fetch content.
The URI prefix for Websockets over TLS is wss, and for plain Websockets ws. At least Chromium and Firefox consider https+ws mixed content, and deny such setting - therefore wss should be used as the URI prefix in secure/HTTPS contexts instead of ws.
Trying to upload a media (video / image) for iphone and android, from one domain using HTTPs to another HTTP. Cant change both to a single protocol as both have different environments which cant be changed apparently.
Everything's working fine on iOS but Android is not doing the uploading thing.
Getting following error on Android chrome :
Mixed Content: The page at 'https://*****' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://*****'. This request has been blocked; the content must be served over HTTPS.
When the main page is https, then insecure (http) request are mostly blocked.
The best way to avoid mixed content errors is to use https for everything.
I recently installed SSL from CloudFlare Flexible SSL but when I use https it doesn't seem to load image and CSS assets.
I already disabled hotlink protection.
Here are some images to illustrate the difference:
Using https: http://gyazo.com/ef6ccb13c2c8f3f797dcb2d947a772cb
Not using https: http://gyazo.com/be277259e0dcc8e395316b573de12935
Thankful for help!
A look at the browsers console shows lots of messages like this:
Mixed Content: The page at 'https://hornetvault.com/' was loaded over HTTPS, but requested an insecure stylesheet 'http://www.hornetvault.com/templates/fresh/assets/css/styles.css'. This request has been blocked; the content must be served over HTTPS.
Which means you try to load resources using http:// inside a https:// site and these resources get blocked. You need to load these resources by https:// too. You might try to simple use // instead of explicitly given http:// or https:// in your URLs, in which case it will simply use the same scheme (http or https) as the page itself.
I've used the following information to get mod_pagespeed to inject the GA scripts into my pages:
https://developers.google.com/speed/pagespeed/module/filter-insert-ga
Unfortunately we have a reverse proxy setup where the browser requests the page over HTTPS but the server injects the content as HTTP.
Here is the Chrome browser error:
[blocked] The page at 'https://*' was loaded over HTTPS, but ran
insecure content from 'http://www.google-analytics.com/ga.js': this
content should also be loaded over HTTPS.
I need this module to use the correct protocol when injecting the script i.e. https:// www.google-analytics.com/ga.js (Sorry for the broken URL I can't post more than 2 links)
We don't have an answer yet, but you can track progress of this bug here: https://code.google.com/p/modpagespeed/issues/detail?id=877
You are going to run into this issue a lot. Try fixing the proxy/server so it correctly identifies the end-user connection as SSL. Most Load Balancers inject a header and have an apache mod to read the header for you.