I have got http page from where i want to make HTTPS call for login (I have already done that)
My question is :
Is it safe to call like this, If not what additional things we should do to support this functionality since my home page is http and when user clicks on sign in it redirects to https page, Now i want to give one drop down IFrame and ask credential and make https call from Iframe, I have seen this on some of the sites and wondering what they are doing differently for this.
Is there any limitation on browser that is used for this call i.e. IE Versions, Chrome, Firefox, Opera. Does it work for all browsers and versions
I have come across few old posts but could not find satisfactory answer
HTTP and HTTPS iframe
Any help would be greatly appreciated.
Related
I've just put an ssl on a WP site and was wondering if all pages should be https, or just the key ones (checkout, etc).
It's about 1500 pages and posts. So going through and finding all non secure assets could take a while.
1) Is it worth making the whole site https?
2) Is the speed an issue these days (from the research I've been doing, it appears it's not so much of an issue anymore)
3) If only key pages are https, is it possible to make the links on the page http (ie After ordering on a secure page, the customer is redirected to a secure confirmation page. But let's say they then click through to the blog... the blog shows up as https... but because it has unsecure elements, it shows error messages in the browser. So, is it possible to click from a https page to a non https page.
(I am using the "Wordpress Https Plugin", which has a "Force SSL Exclusively" function, but, this causes problems with the shopping cart on there, so it can't be used.) Thanks
You kow, honestly, at this point if you're making any page secured with https -- which means you somehow deal with the cert issue -- just make them all. The performance hit is less noticeable if the first SSL/TLS handshake happens when first finding the landing page, and there aren't many advantages to sticking with HTTP.
Update
I guess that wasn't clear enough, or I Hm, I think I just got tl;dr on a one paragraph answer.
IF "you're going to use HTTPS at all"
THEN
"You might as well just use it everywhere."
ELSE
"Don't."
FI
Yes, you should definitely make your entire website https is you are able. However, mixing non-https content inside the same page will make most browsers give users warnings, which might confuse them into thinking your site has security problems.
Linking to non-https sites is not a problem, but using assets (javascript, css, images) from non-https sites is.
Unless your site is visited daily by millions of users, you probably shouldn't worry about the performance hit and make the whole thing https. Remember that nowadays Google takes https as a signal for better ranking your site, so it's good for SEO as well.
I am trying to obtain token for my UCWA app using passive auth. My setup is that once I receive the 401 challenge, I take the link to the token service from ms_rtc_passiveauthuri parameter and I visit this website (PassiveAuth.aspx) by creating a hidden iframe in the background of my website. Couple of redirects happen in that iframe but eventually I successfuly get the cookie and I proceed with creating the UCWA app.
This works nicely in IE, Chrome, Firefox and Opera, but Safari seems to refuse to do this redirections inside of that iframe.
I also tried to visit this token service by using the XFrame (and using helper library's Transport.clientRequest), but the result is 406 Not Acceptable.
Do you know about any workaround for Safari? Or, more importantly, is my approach correct - is this how it's meant to be used?
Thanks for any suggestion
Did you manage to work this out? I am having the same issues.
Edit : See the comments below for the answer - look out for the WWW-Authenticate and Www-Authenticate headers.
I want to automate logging into a website and retrieving certain data.
I thought the way to do this would be to sniff the HTTP requests so I know where the login form is being POSTed to so I can do the same using NodeJS/Java/Python.
However I can't seem to find the HTTP request that handles it.
The site seems to use some Java-applet and a lot of Javascript.
This is the site: link
Should I have a different approach?
Also also wonder about storing a cookie session, and sending it with each HTTP request after logging in.
I'm sorry if I am not to clear, I will try to explain myself further and edit this post if needed.
You can use the developer console (hit F12) in Chrome (this works also in other browsers) and then click the "Network" tab. There you see all network calls.
To detect what http requests are performed from a mobile device, you can use a proxy like Charles Proxy.
Also be aware that if you post from nodejs the cookies won't be set in the users browser.
I am using a combination of things and not sure where the error is coming from: I have a WordPress site with and installed SSL cert. https:www.joesmetrobox.com. I have the Cleanr theme installed and I am using WooCommerce and the Paypal Advanced plug in to use Paypal as the way I process payments.
Everything is fine until I try to submit the credit card information here: on this page: checkout/pay/?key=order_51882ad846e67&order=360 (this would be unique for transaction). Then depending on the browser I get an error:
Firefox: Security Warning: Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by others. Are you sure you want to continue sending this information?
Firebug gives me this
error: 404 error for this
wp-content/themes/cleanr/js/scripts.js?ver=1.0 and file which does
not seem to exist.
Explorer 8: Security Warning: Do you want to view only the webpage content that was delivered securely? This webpage contains content that will not be delivered using a secure HTTPS connection, which could compromise the security of the entire webpage.
Chrome: Secure Token Expired
and if I use their developer tools I also get this extra clue: Unsafe JavaScript attempt to access frame with URL https://joesmetrobox.com/checkout/pay/?key=order_5188245e1ae70&order=361 from frame with URL https://payflowlink.paypal.com/?mode=LIVE&SECURETOKEN=LvNtL1gubfE6Z5lwc2gMiQgJ0&SECURETOKENID=joesmetro51882d664015d4.15989435. Domains, protocols and ports must match.
So I am pretty stumped at this point where to even focus my attention. I am not a programmer and know just enough to be dangerous.
I am wondering if it is some kind of token setting in Paypal that I accidentally clicked and don't need? or maybe WooCommerce isn't playing nice with Paypal, Cleanr theme or maybe both.
I just want to be able to process payments without an error popping up...does anyone have ideas?
a plugin like this may help you implement HTTPS to your site.
http://wordpress.org/extend/plugins/wordpress-https/
WooCommerce Reference: http://docs.woothemes.com/document/ssl-and-https/
Insecure content warnings
If you have insecure content warnings when viewing a secure page it
means you will be linking directly to scripts, images, or stylesheets
over http instead of https. Most of the time this is simply fixed by
changing said links to https or by using relative URL’s (e.g.
/wp-content/file instead of http yoursitename/wp-content/file).
You can also use a plugin like WordPress HTTPS to force the URLS to be
secure. WooCommerce does secure scripts which are enqueued correctly.
To identify the insecure links you can use a tool such as Firebug for
firefox, or Chromes built in developer tools, and look at the error
console – insecure resources will be listed.
My site is deployed on amazon aws and I have two listeners on the load balancer.
One for http and one for https.
Google links to the http url, however I'd like it to link to the https listener as I am about to disable the http listener on port 80.
Can anyone recommend an approach which will result in the smoothest transition from the perspective of people finding my site through google?
You'll need a redirect. This means, that for now, you can't turn of the listener on http, but need to put the permanent redirect there instead. When google next checks, it'll spot the permanent redirect, drop the old link and create the new.
You could try submitting a new site map, but you'd lose any ranking your old links had gained as they would all appear as new links, plus there's no telling how long it would take Google to use the site map.
And there's also Bing and Yahoo and other search engines. Probably not as common, but best to hits a solution that gets them all.
Redirect using .htaccess - google it or reply here if you're stuck and I'll add to the answer