Using Firefox 45.8.0 ESR on Windows.
Trying to load https://secure.scheduleonce.com/dana
The page doesn't load, and in the network panel I see a crossed padlock icon instead of green padlock icon for this request:
OPTIONS https://cfproxy.scheduleonce.com/get-data/GetLandingPageLayout
When floating over the padlock I see the following message:
The connection used to fetch this request was not secure.
The page loads fine on Chrome / Safari / IE and even more recent version of FF.
Is there any way to debug what's wrong with that request to resource exactly ? FF doesn't give me any information as to what went wrong.
I suspect it might be related to the fact it's a preflight CORS request (the requested domain is different than that hosted page domain).
Attaching HAR file of the network : https://www.dropbox.com/s/i59k66a2w8p3ast/Archive%2017-09-10%2007-06-15.har?dl=0
Can be viewer here: (https://toolbox.googleapps.com/apps/har_analyzer)
Thanks.
Problem was with the cipher suite choice on the server.
I used this site to change it:
https://mozilla.github.io/server-side-tls/ssl-config-generator/
To support older browsers as well.
I don't know what was in FF 45.8.0 ESR that made it not respect the security of the server.
Related
I have a page which outputs a PDF file to the browser, and sets the following headers:
Content-Type: application/pdf
Content-Disposition: inline; filename="myFile.pdf"
So, the file should be viewed in the browser rather than downloading. This works as expected in Chrome for desktop, except that the "Save" button in the bottom right corner doesn't do anything.
Additionally, when opening on a mobile (where the file is automatically downloaded), the download fails as the file is <Untitled> - despite the presence of filename="myFile.pdf in the headers.
I thought this was a header issue, but have narrowed it down to the fact the page is under HTTPS. If I open the page under HTTP then everything works as expected (files saved successfully) on both desktop and mobile.
So, is there any way to get this working under HTTPS?
It seems that this issue is due to the SSL certificate under which the website is hosted being invalid.
See more here - Android 2.2 and 2.3 PDF download via HTTPS seems broken
As in case of Google Chrome browser Google Chrome CSP
There are whitelisting of origins -
Currently, we allow whitelisting origins with the following schemes:
blob, filesystem, https, chrome-extension, and
chrome-extension-resource.
Is there any listing of such origins for Firefox. We are trying to write an add on for Firefox which will need to load as an iframe.
I currently get following CSP error when I am trying to load a frame.html read from my addon XPI resources. Its a frame which then loads the actual frame.
Content Security Policy: The page's settings blocked the loading of a
resource at data:text/html;
iframe with chrome-extensions:// as the path works for Chrome browser nothing like that is available for Firefox. (atleast I am unable to trace such a thing)
Please give us some suggestion if we can do a path to get iframe extension working.
On Firefox data:, blob: and filesystem: are subject to CSP. Use chrome: or resource: instead.
update:
Apparently this approach will not work with the Add-on SDK, probably due to sandbox restrictions.
I'm using rackspace to host my image files that are drawn on an html5 canvas object. Because of an HTML security feature when saving a canvas I have to use CORS (Cross Origin Resource Headers) to make save work.
I have tested my code on Chrome, IE with Chrome Frame, and Firefox, and none of them give me a security error after I added to the image request headers:
Access-Control-Allow-Origin: *
and I have added the following attribute to all the images drawn on to the canvas
crossOrigin = "anonymous"
However, for some reason Safari still gives a security error.
SECURITY_ERR: DOM Exception 18: An attempt was made to break through the security policy of the user agent.
Any thoughts as to why this is happening on safari(desktop 5.1.7, and ipad) versions? I have checked the documentation and everything I have read says that Safari 4+ supports CORS?
Safari 5.2 in beta solves the problem. So it looks like Safari does not yet support cors for images in released versions. The same goes for iOS safari
Our e-commerce site uses http for general site browsing to https for checkout. This process works in all browsers except for firefox. On firefox, we are seeing a an error that not all elements are secure.
Using forefox:
Go to http://www.creativecrash.com/marketplace/3d-models/vehicle/cars/sedan/c/seat-ibiza-2013-5door
click Add to Cart
click Checkout
Now the site should not be partially secure. If you click the icon beside the URL it should say "Your connection to this site is only partially encrypted, and does not prevent eavesdropping".
Now reload the page. It should suddenly be fully secure.
Any ideas on why this is happening and how we can fix it would be most appreciated.
I have some pages that are sent via HTTPS. Internet Explorer sometimes complains about "This webpage contains content that will not be delivered using a secure HTTPS".
I looked in the html source to confirm all content calls (href, src, etc...) are sent via https. My CSS files use relative paths. But I'm still getting these warnings.
Is there an easy way to track down which items are not sent via HTTPS?
You could fire up Fiddler to see what exactly IE is requesting over regular HTTP.
In Fiddler's default configuration, HTTPS requests will show up with a lock and CONNECT as the host. HTTP requests will have a non-lock icon.
(source: josh3736.net)
I usually use Firefox + Firebug (the "Net" tab) to find the offending request. You could also use Fiddler for this. (with any browser)
I've used the following site before - I finding it easier than loading up firebug / fiddler.
http://www.whynopadlock.com/
You can use SslCheck
It's a free online tool that crawls a website recursively (following all internal links) and scans for unsecure content - images, scripts and CSS.
(disclaimer: I'm one of the developers)
In Google Chrome, similar to Firefox w/ FireBug, you can use the 'Network' tab of the Developer Tools console.
Open the Developers Tools console, go to the 'Network' tab, and reload the target page. Any warnings with the page, such as insecure content being loaded, will be indicated with the number of warning and an 'alert' icon in the bottom right corner (Chrome v23.x). Click on the icon and a list of the warnings, in this case, the resources being loaded insecurely, will be displayed.
Using following tools could help:
Firefox's FireBug . opening tab Network shows you connection details to multiple resource
Fiddler - acts as sniffer allows you explore details of connect.
using firefox - view generated source vs viewing source
there is probably a javascript file that is creating a div/iframe that is insecure