I created a Blazor Server API. I am hosting this on IIS on my local PC using HTTPS only with a self generated certificate. It works a treat. I created another Blazor Server API, created another website for it in exactly the same way as I did the first, but when I run the new website I get a mixed-content error. Please don't get bogged down in that, I understand what that means and I have read for about 8 hours on how to fix it. None of the solutions I came across worked.
So, I published my new API to the working website and voila, it works perfectly. This leads me to believe that it is something to do with how I have set up the new site on IIS.
So I deleted the "broken" website via IIS, edited my applicationHost.config, duplicating the original working site, made the appropriate changes and fired up IIS again. Re-published my new API, same problem.
One thing I don't understand is, it fails on a call to 'http://www.mailcontrol.com/http-resources/notification-pages/icons60/error.png', but then displays the image that refers to!!! Not sure if this is a red herring, as it works fine when published to the original website, reinforcing my initial thought that it must be an IIS setup thing.
Here are the things that are failing:
All of which exist on the working API/website
Any help gratefully appreciated.
Edit
Console log as requested:
transactions.oracle.local/:1 Mixed Content: The page at 'https://transactions.oracle.local/' was loaded over HTTPS, but requested an insecure element 'http://www.mailcontrol.com/http-resources/notification-pages/icons60/error.png'. This request was automatically upgraded to HTTPS, For more information see https://blog.chromium.org/2019/10/no-more-mixed-messages-about-https.html
transactions.oracle.local/:1 Mixed Content: The page at 'https://transactions.oracle.local/' was loaded over HTTPS, but requested an insecure element 'http://www.mailcontrol.com/http-resources/notification-pages/2020/notification_page_logo_145x35.png'. This request was automatically upgraded to HTTPS, For more information see https://blog.chromium.org/2019/10/no-more-mixed-messages-about-https.html
Mixed Content: The page at '<URL>' was loaded over HTTPS, but requested an insecure stylesheet '<URL>'. This request has been blocked; the content must be served over HTTPS.
Mixed Content: The page at '<URL>' was loaded over HTTPS, but requested an insecure stylesheet '<URL>'. This request has been blocked; the content must be served over HTTPS.
Mixed Content: The page at '<URL>' was loaded over HTTPS, but requested an insecure stylesheet '<URL>'. This request has been blocked; the content must be served over HTTPS.
Mixed Content: The page at '<URL>' was loaded over HTTPS, but requested an insecure stylesheet '<URL>'. This request has been blocked; the content must be served over HTTPS.
Mixed Content: The page at '<URL>' was loaded over HTTPS, but requested an insecure stylesheet '<URL>'. This request has been blocked; the content must be served over HTTPS.
Mixed Content: The page at '<URL>' was loaded over HTTPS, but requested an insecure stylesheet '<URL>'. This request has been blocked; the content must be served over HTTPS.
transactions.oracle.local/:71 Mixed Content: The page at 'https://transactions.oracle.local/' was loaded over HTTPS, but requested an insecure element 'http://www.mailcontrol.com/http-resources/notification-pages/icons60/error.png'. This request was automatically upgraded to HTTPS, For more information see https://blog.chromium.org/2019/10/no-more-mixed-messages-about-https.html
transactions.oracle.local/:71 Mixed Content: The page at 'https://transactions.oracle.local/' was loaded over HTTPS, but requested an insecure element 'http://www.mailcontrol.com/http-resources/notification-pages/2020/notification_page_logo_145x35.png'. This request was automatically upgraded to HTTPS, For more information see https://blog.chromium.org/2019/10/no-more-mixed-messages-about-https.html
transactions.oracle.local/:1 Mixed Content: The page at 'https://transactions.oracle.local/' was loaded over HTTPS, but requested an insecure script 'http://www.mailcontrol.com/http-resources/notification-pages/empty.js'. This request has been blocked; the content must be served over HTTPS.
(Hangs head in shame) The mixed content issue was a complete red herring. Some idiot made a typo in the hosts file...
Sorry to anyone that wasted their time looking at this non-issue. Valuable lesson for those that follow though..
Related
I cant use ckeditor when on cloudflare. As soon as I edit the node...I get empty wysiwyg editor. Same for comments.
And the console error is
Mixed Content: The page at 'https://www.ebdesign.com/node/add/article' was loaded over HTTPS, but requested an insecure stylesheet 'http://www.ebdesign.com/themes/contrib/at_theme/at_core/ckeditor/skins/mimic/editor.css?t=r9mmak'. This request has been blocked; the content must be served over HTTPS.
It works fine on regular hosting without cloudflare...
I have an issue on my website.
When I accessed the website by IP everything is good but when I access the website by domain name I got this error:
Mixed Content: The page at `<URL>` was loaded over HTTPS, but
requested an insecure stylesheet `<URL>`. This request has been
blocked; the content must be served over HTTPS.
https://141.105.67.4/en/games
https://g11games.com/en/games
Can you please help to solve this issue.
As the error states, you website is being loaded via https, but the scripts contained within the website, are being loaded via http. Likely, in your config, you have set APP_URL to point the http URL, so all assets on your website are using that as the base URL. Changing that to HTTPS should resolve the errors.
fixed by adding
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
My RSS feeds are not working on my home page after I changed my site to all HTTPS (ex. https://www.colonialstock.com). Any ideas why and how to fix this? I use dynamic drive for my feed display code. All of the code is on the home page.
Here are the errors from Google/Chrome developer tools:
yui-min.js:12 Mixed Content: The page at 'https://www.colonialstock.com/index.htm' was loaded over HTTPS, but requested an insecure script 'http://query.yahooapis.com/v1/public/yql?q=select%20*%20from%20rss(0%2C2)%2…es.org%2Falltables.env&callback=YUI.Env.JSONP.yui_3_18_1_2_1493852745498_2'. This request has been blocked; the content must be served over HTTPS.
_insert # yui-min.js:12
yui-min.js:12 Mixed Content: The page at 'https://www.colonialstock.com/index.htm' was loaded over HTTPS, but requested an insecure script 'http://query.yahooapis.com/v1/public/yql?q=select%20*%20from%20rss(0%2C2)%2…es.org%2Falltables.env&callback=YUI.Env.JSONP.yui_3_18_1_3_1493852745498_2'. This request has been blocked; the content must be served over HTTPS.
_insert # yui-min.js:12
yui-min.js:12 Mixed Content: The page at 'https://www.colonialstock.com/index.htm' was loaded over HTTPS, but requested an insecure script 'http://query.yahooapis.com/v1/public/yql?q=select%20*%20from%20rss(0%2C1)%2…es.org%2Falltables.env&callback=YUI.Env.JSONP.yui_3_18_1_4_1493852745498_2'. This request has been blocked; the content must be served over HTTPS.
_insert # yui-min.js:12
indicator.gif Failed to load resource: the server responded with a status of 404 (Not Found)
I am getting intermittent mixed content errors on my https site. The site link is stakeholdermap.com
I have checked Chrome Dev tools >Network tab and I am seeing unsecure urls examples below:
Mixed Content: The page at 'https://www.stakeholdermap.com/stakeholder-analysis.html' was loaded over HTTPS, but requested an insecure plugin data 'http://static.vertamedia.com/static/vpaid-ssp-vast.swf?aid=41476&sid=0&cb=146233.42079096.743365'. This content should also be served over HTTPS. ads?client=ca-pub-3370240294319443&format=300x250&output=html&h=250&slotname=8722343817&adk=5159607…
Mixed Content: The page at 'https://www.stakeholdermap.com/stakeholder-analysis.html' was loaded over HTTPS, but requested an insecure plugin data 'http://ads2.vertamedia.com/vast/vpaid-config/?width=300&height=250&aid=4147…takeholdermap.com&v=2.2.90&t=flash&video_duration=&cb=73026784276589750000'. This content should also be served over HTTPS.
But the adslots are using latest code (//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js)
I am pretty certain these are loaded by Adsense. My question is how can I block this or force it to use https?
Ask the users browser to fetch the secure content, if possible:
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests" />
If the ad is available via https, then it will fetch that version, otherwise, the content will be blocked and another shown in its place. Put the meta in the <head> section of your pages where all your other meta tags are located.
You can find more information here: https://developers.google.com/web/fundamentals/security/prevent-mixed-content/fixing-mixed-content
I'm attempting to load Google Fonts and an image over HTTPS, but they keep loading over HTTP, despite changing the path to "https" in all of the assets.
Mixed Content: The page at 'https://' was loaded over HTTPS, but requested an insecure stylesheet 'http://fonts.googleapis.com/css?family=Roboto:400,100,100italic,300italic,300,400italic,500,500italic,700,700italic,900,900italic'. This request has been blocked; the content must be served over HTTPS.
Mixed Content: The page at 'https://' was loaded over HTTPS, but requested an insecure image
'http://farm6.staticflickr.com/5267/5783999789_9d06e5d7df_b.jpg'. This content should also be served over HTTPS.
You can use protocol related url like this:
'//fonts.googleapis.com/css?family=Roboto:400,100,100italic,300italic,300,400italic,500,500italic,700,700italic,900,900italic'.
Also, do not forget to run
rake assets:precompile
before pushing to heroku.
For people who are facing similar troubles using laravel {{HTML::style('css/style.css')}} and {{HTML::script('js/script.js')}} can simply make the HTMLBuilder secure by modifying the statements to
{{HTML::style('css/style.css',array(),true)}} and
{{HTML::script('js/script.js',array(),true)}}
where 'true' insists that the content are severed secure or over HTTPS