I am getting intermittent mixed content errors on my https site. The site link is stakeholdermap.com
I have checked Chrome Dev tools >Network tab and I am seeing unsecure urls examples below:
Mixed Content: The page at 'https://www.stakeholdermap.com/stakeholder-analysis.html' was loaded over HTTPS, but requested an insecure plugin data 'http://static.vertamedia.com/static/vpaid-ssp-vast.swf?aid=41476&sid=0&cb=146233.42079096.743365'. This content should also be served over HTTPS. ads?client=ca-pub-3370240294319443&format=300x250&output=html&h=250&slotname=8722343817&adk=5159607…
Mixed Content: The page at 'https://www.stakeholdermap.com/stakeholder-analysis.html' was loaded over HTTPS, but requested an insecure plugin data 'http://ads2.vertamedia.com/vast/vpaid-config/?width=300&height=250&aid=4147…takeholdermap.com&v=2.2.90&t=flash&video_duration=&cb=73026784276589750000'. This content should also be served over HTTPS.
But the adslots are using latest code (//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js)
I am pretty certain these are loaded by Adsense. My question is how can I block this or force it to use https?
Ask the users browser to fetch the secure content, if possible:
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests" />
If the ad is available via https, then it will fetch that version, otherwise, the content will be blocked and another shown in its place. Put the meta in the <head> section of your pages where all your other meta tags are located.
You can find more information here: https://developers.google.com/web/fundamentals/security/prevent-mixed-content/fixing-mixed-content
Related
I created a Blazor Server API. I am hosting this on IIS on my local PC using HTTPS only with a self generated certificate. It works a treat. I created another Blazor Server API, created another website for it in exactly the same way as I did the first, but when I run the new website I get a mixed-content error. Please don't get bogged down in that, I understand what that means and I have read for about 8 hours on how to fix it. None of the solutions I came across worked.
So, I published my new API to the working website and voila, it works perfectly. This leads me to believe that it is something to do with how I have set up the new site on IIS.
So I deleted the "broken" website via IIS, edited my applicationHost.config, duplicating the original working site, made the appropriate changes and fired up IIS again. Re-published my new API, same problem.
One thing I don't understand is, it fails on a call to 'http://www.mailcontrol.com/http-resources/notification-pages/icons60/error.png', but then displays the image that refers to!!! Not sure if this is a red herring, as it works fine when published to the original website, reinforcing my initial thought that it must be an IIS setup thing.
Here are the things that are failing:
All of which exist on the working API/website
Any help gratefully appreciated.
Edit
Console log as requested:
transactions.oracle.local/:1 Mixed Content: The page at 'https://transactions.oracle.local/' was loaded over HTTPS, but requested an insecure element 'http://www.mailcontrol.com/http-resources/notification-pages/icons60/error.png'. This request was automatically upgraded to HTTPS, For more information see https://blog.chromium.org/2019/10/no-more-mixed-messages-about-https.html
transactions.oracle.local/:1 Mixed Content: The page at 'https://transactions.oracle.local/' was loaded over HTTPS, but requested an insecure element 'http://www.mailcontrol.com/http-resources/notification-pages/2020/notification_page_logo_145x35.png'. This request was automatically upgraded to HTTPS, For more information see https://blog.chromium.org/2019/10/no-more-mixed-messages-about-https.html
Mixed Content: The page at '<URL>' was loaded over HTTPS, but requested an insecure stylesheet '<URL>'. This request has been blocked; the content must be served over HTTPS.
Mixed Content: The page at '<URL>' was loaded over HTTPS, but requested an insecure stylesheet '<URL>'. This request has been blocked; the content must be served over HTTPS.
Mixed Content: The page at '<URL>' was loaded over HTTPS, but requested an insecure stylesheet '<URL>'. This request has been blocked; the content must be served over HTTPS.
Mixed Content: The page at '<URL>' was loaded over HTTPS, but requested an insecure stylesheet '<URL>'. This request has been blocked; the content must be served over HTTPS.
Mixed Content: The page at '<URL>' was loaded over HTTPS, but requested an insecure stylesheet '<URL>'. This request has been blocked; the content must be served over HTTPS.
Mixed Content: The page at '<URL>' was loaded over HTTPS, but requested an insecure stylesheet '<URL>'. This request has been blocked; the content must be served over HTTPS.
transactions.oracle.local/:71 Mixed Content: The page at 'https://transactions.oracle.local/' was loaded over HTTPS, but requested an insecure element 'http://www.mailcontrol.com/http-resources/notification-pages/icons60/error.png'. This request was automatically upgraded to HTTPS, For more information see https://blog.chromium.org/2019/10/no-more-mixed-messages-about-https.html
transactions.oracle.local/:71 Mixed Content: The page at 'https://transactions.oracle.local/' was loaded over HTTPS, but requested an insecure element 'http://www.mailcontrol.com/http-resources/notification-pages/2020/notification_page_logo_145x35.png'. This request was automatically upgraded to HTTPS, For more information see https://blog.chromium.org/2019/10/no-more-mixed-messages-about-https.html
transactions.oracle.local/:1 Mixed Content: The page at 'https://transactions.oracle.local/' was loaded over HTTPS, but requested an insecure script 'http://www.mailcontrol.com/http-resources/notification-pages/empty.js'. This request has been blocked; the content must be served over HTTPS.
(Hangs head in shame) The mixed content issue was a complete red herring. Some idiot made a typo in the hosts file...
Sorry to anyone that wasted their time looking at this non-issue. Valuable lesson for those that follow though..
I cant use ckeditor when on cloudflare. As soon as I edit the node...I get empty wysiwyg editor. Same for comments.
And the console error is
Mixed Content: The page at 'https://www.ebdesign.com/node/add/article' was loaded over HTTPS, but requested an insecure stylesheet 'http://www.ebdesign.com/themes/contrib/at_theme/at_core/ckeditor/skins/mimic/editor.css?t=r9mmak'. This request has been blocked; the content must be served over HTTPS.
It works fine on regular hosting without cloudflare...
I have an issue on my website.
When I accessed the website by IP everything is good but when I access the website by domain name I got this error:
Mixed Content: The page at `<URL>` was loaded over HTTPS, but
requested an insecure stylesheet `<URL>`. This request has been
blocked; the content must be served over HTTPS.
https://141.105.67.4/en/games
https://g11games.com/en/games
Can you please help to solve this issue.
As the error states, you website is being loaded via https, but the scripts contained within the website, are being loaded via http. Likely, in your config, you have set APP_URL to point the http URL, so all assets on your website are using that as the base URL. Changing that to HTTPS should resolve the errors.
fixed by adding
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
Hello i have an issue with my domain and ssl, when you enter to https://www.limitx.com.mx you can see a error with a ssl encryption, your connection is encrypted with modern cryptography, how i can solve this? i dont know how to fix this issue, i hope can help me. Bes regards guys!
You have two resources on your home page that are served over HTTP (mixed content).
Mixed Content: The page at 'https://limitx.com.mx/' was loaded over
HTTPS, but requested an insecure stylesheet
'http://fonts.googleapis.com/css?family=Roboto:400,900,300,700'. This
request has been blocked; the content must be served over HTTPS.
This is coming from the main file that is generating the HTML:
<link href='fonts.googleapis.com/css?family=Roboto:500,300'; rel='stylesheet' type='text/css'>
You'll need to change this to be
<link href='https://fonts.googleapis.com/css?family=Roboto:500,300'; rel='stylesheet' type='text/css'>
Mixed Content: The page at 'https://limitx.com.mx/' was loaded over
HTTPS, but requested an insecure image
'http://limitx.panamerik.net/skin/frontend/ultimo/default/images/infortis/_shared/generic-nav/buscar.png'.
This content should also be served over HTTPS.
This is coming from https://limitx.com.mx/skin/frontend/ultimo/default/css/styles.css
.form-search .button {
...
background-image: url(http://limitx.panamerik.net/skin/frontend/ultimo/default/images/infortis/_shared/generic-nav/buscar.png);
...
}
You cannot use an HTTPS version of this URL as the certificate for http://limitx.panamerik.net/skin/frontend/ultimo/default/images/infortis/_shared/generic-nav/buscar.png does not match the host.
You can copy this file (buscar.png) locally, perhaps under skin/frontend/ultimo/default/images/infortis/_shared/generic-nav/ and change the CSS to be
.form-search .button {
...
background-image: url(../images/infortis/_shared/generic-nav/buscar.png);
...
}
Well the issue is that other objects on your page are not using ssl, do you have any embeded links that have http instead of say https? I would check those images, they are most likely the culprit. Instead of using relative paths try hardcoding all the images with https://url to image/ alright? That should fix ya up good. Nice site btw.
For your Firefox issues: https://support.mozilla.org/en-US/questions/967766
The only way for websites to "supply ownership information" would be through a secure connection and an "Extended Validation Certificate" which will cost a few hundred USD and upwards per year at the relevant certificate authorities: https://en.wikipedia.org/wiki/Extended_Validation_Certificate
Google Issues: https://support.google.com/chrome/answer/95617?p=ui_security_indicator&rd=1
Your connection to the site is encrypted, but Google Chrome has detected mixed content on the page. Be careful if you're entering information on this page. Mixed content can provide a loophole for someone to manipulate the page. This content could be third- party images or ads embedded on the page.
Internet Explorer.....doesnt see any issues at all.
We're getting allot of Mixed Content errors on the cart page of our Magento Store
Mixed Content: The page at 'https://www.magento.com/onestepcheckout/index/' was loaded over HTTPS, but requested an insecure stylesheet 'http://fonts.googleapis.com/css?family=Lato:400,300,700,900'. This request has been blocked; the content must be served over HTTPS.
I can see the google font file is being called in the head section of our theme via http
<link href='http://fonts.googleapis.com/css?family=PT+Sans' rel='stylesheet' type='text/css'>
I'm wondering what is the best way to solve this issue should I change the line above to:
Option 1
<link href='https://fonts.googleapis.com/css?family=PT+Sans' rel='stylesheet' type='text/css'>
OR
Option 2
<link href='//fonts.googleapis.com/css?family=PT+Sans' rel='stylesheet' type='text/css'>
Which is the best method considering most of our site uses http? I was not aware of Option 2, it seems like a very good approach.
I found a good answer here.
The second option, protocol relative links seems to be the best option.
UPDATED ANSWER
To give a more complete answer, protocol relative URLs help to avoid Mixed Content errors by requesting the resource from whatever protocol the browser is viewing that current page through. This is really useful when your site has pages that use both http & https, as in my case checkout page was being loaded over https while the rest our site uses http.
Example
So if we use a protocol relative url to link to a resource.
<link href='//fonts.googleapis.com/css?family=PT+Sans' rel='stylesheet' type='text/css'>
When we're on https://www.magento.com/onestepcheckout/index/ the resource will be loaded via https, https://fonts.googleapis.com/css?family=Lato.
And if we're on http://www.magento.com/ the resource will be loaded via http http://fonts.googleapis.com/css?family=Lato
This will avoid any Mixed Content Errors.
Caveats
There are a few things to consider when using this approach though.
IE6 does not know how to hanler protocol relative urls. IE6 has less than 1.7% of the browser market.
IE7 & IE8 support protocol relative URLs but they’ll end up fetching the
resource twice. Once from HTTP and once over HTTPS, which will slow
things down. Again, these older browsers account for very little of the browser market.
Does not work in all email clients (e.g Outlook), so avoid using protocol relative urls in HTML emails
You have to be sure that the server you’re requesting from is capable of serving content over both HTTP and HTTPS. If not you might end up fetching content from an unsecured or nonexistent server port.
Further Reading
https://developer.mozilla.org/en-US/docs/Security/MixedContent/How_to_fix_website_with_mixed_content
http://www.paulirish.com/2010/the-protocol-relative-url/
http://billpatrianakos.me/blog/2013/04/18/protocol-relative-urls/
I got the exact same error while adding products to cart, I was deploying CDN for Magento 1.9 let me share my solution,
Accoriding to Chrome Console, the URL returned by js about ajaxcart started with HTTP , so I go to review the parameter construture I found this :
js/cmsmart/jquery/ajaxcart/cmsmart-ajaxcart.js: var myajaxcart = baseUrlAjax + 'ajaxcart/index/index/id/';
js/cmsmart/jquery/ajaxcart/cmsmart-ajaxcart.js: var urladdajaxcart = baseUrlAjax + 'ajaxcart/index/index/';
js/cmsmart/jquery/ajaxcart/cmsmart-ajaxcart.js: var checkouturl = baseUrlAjax + 'checkout/cart/add/';
and baseUrlAjax is controlled by PHP echo $url
app/design/frontend/default/theme691/template/cmsmart/ajaxcart/page/head.phtml: var baseUrlAjax = '<?php echo $url; ?>';
and $url is controlled by
app/design/frontend/default/theme691/template/cmsmart/ajaxcart/page/head.phtml >>>
#$url = Mage::getBaseUrl(); #oldone
$url = Mage::getUrl('',array('_secure'=>true)); # set to this new one
Bingo!
Reffered to this page : How Do You Get The Store Secure URL in Magento?