I have a page on my website https://www.mydomain.com/about . It consist of a vimeo video.
We are embedding the vimeo video in a iframe on the page.
But it shows a security warning stating that "Do you want to view only the webpage content that was delivered securely ?".
Is there a way to avoid this ?
That warning means that some content on your page was served through HTTP instead of HTTPS. It tells the user that, even though the page itself was served through HTTPS, it includes content (image, stylesheets, scripts, iframes) that was not authenticated, and that such content may be subject to MITM attacks.
If you want to avoid the warning, you should set the source of the iframe to an https: URL.
Related
I am using a combination of things and not sure where the error is coming from: I have a WordPress site with and installed SSL cert. https:www.joesmetrobox.com. I have the Cleanr theme installed and I am using WooCommerce and the Paypal Advanced plug in to use Paypal as the way I process payments.
Everything is fine until I try to submit the credit card information here: on this page: checkout/pay/?key=order_51882ad846e67&order=360 (this would be unique for transaction). Then depending on the browser I get an error:
Firefox: Security Warning: Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by others. Are you sure you want to continue sending this information?
Firebug gives me this
error: 404 error for this
wp-content/themes/cleanr/js/scripts.js?ver=1.0 and file which does
not seem to exist.
Explorer 8: Security Warning: Do you want to view only the webpage content that was delivered securely? This webpage contains content that will not be delivered using a secure HTTPS connection, which could compromise the security of the entire webpage.
Chrome: Secure Token Expired
and if I use their developer tools I also get this extra clue: Unsafe JavaScript attempt to access frame with URL https://joesmetrobox.com/checkout/pay/?key=order_5188245e1ae70&order=361 from frame with URL https://payflowlink.paypal.com/?mode=LIVE&SECURETOKEN=LvNtL1gubfE6Z5lwc2gMiQgJ0&SECURETOKENID=joesmetro51882d664015d4.15989435. Domains, protocols and ports must match.
So I am pretty stumped at this point where to even focus my attention. I am not a programmer and know just enough to be dangerous.
I am wondering if it is some kind of token setting in Paypal that I accidentally clicked and don't need? or maybe WooCommerce isn't playing nice with Paypal, Cleanr theme or maybe both.
I just want to be able to process payments without an error popping up...does anyone have ideas?
a plugin like this may help you implement HTTPS to your site.
http://wordpress.org/extend/plugins/wordpress-https/
WooCommerce Reference: http://docs.woothemes.com/document/ssl-and-https/
Insecure content warnings
If you have insecure content warnings when viewing a secure page it
means you will be linking directly to scripts, images, or stylesheets
over http instead of https. Most of the time this is simply fixed by
changing said links to https or by using relative URL’s (e.g.
/wp-content/file instead of http yoursitename/wp-content/file).
You can also use a plugin like WordPress HTTPS to force the URLS to be
secure. WooCommerce does secure scripts which are enqueued correctly.
To identify the insecure links you can use a tool such as Firebug for
firefox, or Chromes built in developer tools, and look at the error
console – insecure resources will be listed.
I'm using an iframe technology that places my html page inside of a 'landing page' hosted by our clients.
The problem in 1 situation is the page hosted by the client is HTTPS and it shows the Security Warning: Do you want to view only the webpage content that was delivered security? Yes No
I want this to be resolved... not sure what to do. We have an SSL certificate which works but that particular iframe page, when accessing via https on my local box, it shows the SSL Warning that its not valid.
Read this article for some background about mixed content. In general, you can't have a HTTP-based subframe of a HTTPS-based page; if you do, you'll encounter this warning in most browsers in some form or another (some show a notification bar, a broken lock, or other indicator).
You'll either need to change the page so that the top-level isn't HTTPS, or so that the subpage is also HTTPS and bears a valid certificate.
I am creating a website with password-protected pages in it.
I have two type of customer: 1. normal 2. secured
For secured customers, pages would be rendered over HTTPS whereas for normal customer, pages will be rendered over HTTP.
However, pages for both types of users would be same but the content will change.
Please note, the URL for the two users should be same except HTTP/HTTPS part.
Can anyone pls suggest how to structure the application so that the same page will act as both http and https?
Also would like to know, sometimes when we browse some HTTPS page and few of the items like image are referenced over HTTP then we get a cross in Address Bar indicating that some of the resources are not over HTTPS.
How can we overcome this problem, any suggestions?
This should be fine, when the user logs in, redirect them to an https:// page. Just use the same page addresses, only the scheme (http or https) needs to change.
To avoid problems with choosing between http or https (for example in image URLs like you mention), try to use relative URLs whenever possible, instead of absolute URLs. So if you're on https://test.com/index.html and want to display an image in an images directory, use /images/test.jpg (relative) rather than https://images/test.jpg (absolute).
If you have to use absolute, you can use a scheme-relative url - for example //images/test.jpg will use HTTP if the current page is using HTTP, and HTTPS if the page is using HTTPS.
See this question and this one for more details.
Is it still not kosher to have a https page with images that are not accessed via SSL? (ie imagine a web app which is SSL for all important content, but images and styles are coming via a plain http CDN).
Correct, it's still not kosher. It will cause warnings in many browsers about "mixing secure and insecure content."
I have a page on my site which was meant to be SSL enabled. Now, if the page has a link to an external site, does this invalidate my SSL encryption?
Thanks
SSL deals with the communication between your server and the requesting browser. When using SSL the html that comprises your page is sent over an encrypted channel to the browser. The browser then decrypts the html and renders the contents. Whether or not that html contains links to other websites than your own means absolutely nothing.
If you are loading a section of a page from another site, for instance an iframe, then the encrypted HTML that is sent to the browser only has a link to this external content. If that external content dose not encrypt content, it dose not affect the encrypted content from your site.
How ever, this can lead to security issues. You do not control what that external content is, it could just log all of the users cookies, which could be used to steal passwords.