Wordpress site in Chrome (not Firefox) is blocking jquery loading - console shows error in our recently secured (full site) over SSL.
"The page was loaded over HTTPS, but displayed insecure content from 'http://ajax.googleapis.com/ajax/libs/jqueryui/1.8.18/jquery-ui.min.js': this content should also be loaded over HTTPS."
When I view it in Firefox, this same call is indeed HTTPS.
I see the call to this URL in the head section of the page source, but haven't located where this call is coming from in the code so I can change it to HTTPS. Getting generated... But where? I can't locate it.
Our WordPress Address (URL) and the Site Address (URL) are both HTTPS - all else works except for this jquery call.
I have read similar issues on this forum but don't know clear way to fix it within Wordpress or force the HTTPS... or even find what's calling it - at the limits of my knowledge about this... Thanks for any help here
Use //ajax.googleapis.com/ajax/libs/jqueryui/1.8.18/jquery-ui.min.js to load the javascript, instead of adding the http or https protocol in front of the url. Modern browsers know to prepend the proper protocol when non is supplied.
That being said, since you are using WordPress, you should have one of the latest versions of jQueryUI already in the installation. You simply need to wp_enqueue_script() the ones you need. For instance, if you need draggable and sortable, you would use wp_enqueue_script('jquery-ui-draggable'); and wp_enqueue_script('jquery-ui-sortable'); respectively. WordPress is kept pretty up to date on these APIs, so offloading jQueryUI to googleapis is probably not the best of ideas, because you could incur a page load time hit by adding another domain for a browser to lookup.
Related
I did an audit of my website and it sends me this message
"Page has redirected JavaScript"
Issue details
Some pages on your website link to JavaScript files via a redirect.
This forces web browsers and search engine crawlers to make an additional HTTP request in order to reach the destination JS file URL. On a vast scale, this can increase page loading times for your website.
How to fix
Review the pages that have a link to the redirecting URL and replace this link with the direct link to the destination JS file.
If you decide to keep links to redirecting URLs that do not belong to your website, make sure that the destination files are relevant.
And I get several links like these:
https://script.crazyegg.com/pages/scripts/0012/9265.js
https://s7.addthis.com/ with randoms numbers
Has anyone had a similar problem who can help me to see how to solve the problem?
It sounds like you have some pages that are actually loading a remote JS file, which then redirect to another page on your website.
Why this is happening is anyone's guess - maybe you have a plugin installed that is doing it intentionally as part of it's functionality. I would start by disabling plugins one at a time (ideally on a staging environment) until the problem goes away, and then you'll know who the culprit is and make a decision.
Instead of genuine Mixed Content issue this seemed like more of a Wordpress issue hence posting here to find a resolution.
I have everything setup to work with https, though there is no valid certificate yet. here is the home page url https://tourpoule.nl. The home page loads but with Mixed content errors which seem to be generated by core Wordpress or theme functions. Attaching image:
Database does not have any url which would start with http://. I already have replaced them using search and replace script.
There is nothing in htaccess file except basic Wordpress setup code. I tried renaming it as well. I cleared all types of cache but still it does not work. The site is using twentytwenty theme and if I comment out css and javascript enque lines, some of the errors disappear but styles and scripts do not load(that is normal I know).
In the view source of page it shows mixed urls, some with https and style and javascript urls without https. see below:
Interestingly if I click a stylesheet url i.e. http://new.tourpoules.nl/wp-content/themes/twentytwenty/style.css?ver=1.0 it redirects to https://new.tourpoules.nl/wp-content/themes/twentytwenty/style.css?ver=1.0
I am not sure what is going on and have got struck. I am not able to reach the client so that we can discuss turning ssl redirection off in nginx for this domain where it is redirecting everything to https if it is not https. Not sure if that is causing issue (I believe it is not as it has nothing to do with Wordpress mechanism to generate urls). Any help or direction is greatly appreciated.
I can see your website is still unsecured, for what it's worth, get yourself letsencrypt ssl.
Back to you question, go to your database, open the wp_options table, change the siteurl item to https://tourpoules.nl and also change the home item to https://tourpoules.nl.
If you have used search and replace DB master script or plugin it will not update inside meta files as well as and check for the function file have you Enqueue with https://
So will be better if you download SQL file and replace with below:
From:
http://new.tourpoules.nl
To
https://new.tourpoules.nl
and re-upload again
I have a website that I'm working on to pass from http to https. A month ago, I've went through all pages on the website and changed the links in the page's content using the Wordpress CMS back-end editor. When I typed https:// in the address, I could see on the console a lot of Mixed Content errors related to links on files that I don't access to, so I passed this all to the back-end guy in my company to deal with.
Today, someone pointed out that the website is still not secure and if you type https:// it will default to http://. I've tried doing this in Chrome, Firefox and Internet Explorer, and them all default back to http://. The person that pointed this problem said that, since we already have the certificate, this should be happening because some part of the website is still not secure.
How can I find where is this issue happening?
You will need to enable the secure site feature from your hosting first the "SLL", but since you mentioned it is already enabled. then you will need to use a plugin to enforce the secure website on all pages, you can try https://wordpress.org/plugins/really-simple-ssl/
Could you help me find out what to do with not fully secure message.
I have installed ssl certificate from let's encrypt, but my wordpress homepage has a message "Attackers might be able to see the images you're looking at on this site and trick you by modifying them".
The home page is still in development, with demo content. About what images chrome notification is telling? Something to do with cookies?
Thank you for your answers!
Edit: Does it have to do with the theme itself? Whole wordpress dashboard and login is served over proper secure ssl.
Sending images via http protocol is what triggers this issue. Using any content from a cdn that does not use https will also trigger this issue. This quote explains it pretty simply (the yellow padlock / warning of unencrypted content/images):
If a yellow padlock appears with a mini yield sign, the likely cause
is links in your site still refer to an unsecured page. Make sure that
all your images, menu items and links use https in the URL.
source
I would use a tool to help identify all non-encrypted file transports. One such tool would be something like Why No Padlock.
Did you enable https after installing WordPress? If so, you must change the WordPress address and Site Address under "General Settings" in WordPress. Make sure both addresses use https.
If your WordPress site address is set to use http, your server will force https but WordPress will serve certain images, like the favicon, over http. This triggers a "mixed content" warning.
I too had run into this issue. It appears there are many http: that need to be replaced with https:
You typically do this using a plugin called Better Search and Replace. Make sure you are adding colon (:) at the end of both http and https.
I found a working answer here
To check for issues on the chrome/opera inspection console (ctrl+shift+C) is also a great idea: I had setup all correctly and the issue was the footer image, not something you would check very often looking for this fix. I had applied SSL to many websites, sometimes the issue is just one simple link and this method helps find it.
I had the same problem where the home or index page was saying the page was not fully secure "Attackers might be able to see images blah blah blah"
After enabling https in general settings under site address and wordpress address I was still getting the insecure image warning on the index or home page.
The next step was to find out what images were not using the https ref on the index or home page.
In my case I viewed the page source of the page, by right mouse clicking the page in the chrome browser & looking for images url ref which were still showing http. I was using a sliding header and those images were showing http. So all I did was go into slider header in the appearance menu of the wordpress, and re-assign each of the header slider image for each frame. RE-checked the home page now the image urls were showing https. Bingo the secure lock symbol returned.
Obviously these image urls don't get updated via the general settings... which seems an oversight by whoever wrote the part of the word-press script.
my website is ssl-enabled secure containg https://
Now i want to add a website link in my webpage using iframe which is in http://
How can i use it, Here problem is with http:// not working in https:// using iframe.
PLease give a solution
Thanks.
You can't, in many modern browsers because it is a major security issue. There's a workaround though, you can proxy the content via HTTPS. You have to create a something on HTTPS that fetches the unsecured content for you and passes it over TLS to the end user in the iframe. This, however, is not as trivial as it looks. Just fetching the content might not be enough, because the user might want/need to POST something back. And it's not just the content, but the headers too if you need to support cookies. And when the content you served over your proxy solution loads stuff via HTTP you end up with a mixed content warning.