With the latest Firefox update (48.0.2), we are seeing mixed content errors from our doubleclick tags on our HTTPS site, however the error is not making any sense to me because the offending URL seems to use https:
Blocked loading mixed active content "about:neterror?e=dnsNotFound&u=https%3A//fls.doubleclick.net%3Bsrc%3D3268620%3Btype%3Dboo120%3Bcat%3D3-c420%3Bord%3D1/%3F&c=UTF-8&f=regular&d=Firefox%20can%E2%80%99t%20find%20the%20server%20at%20fls.doubleclick.net%3Bsrc%3D3268620%3Btype%3Dboo120%3Bcat%3D3-c420%3Bord%3D1."[Learn More]
Any ideas on what might be causing this?
Related
I am somewhat of a novice at debugging web traffic, so I am simply trying to understand what is going on.
I have fiddler and am using it to look at the network traffic being sent as I navigate to a specific website. I am noticing that the traffic picks up an HTTP 404 error thrown but I am still able to load the website.
Please help me understand how it still loads the website when it throws an HTTP 404 error? The error is never shown to the user. It is like it is ignoring it. I would think it would display the error to user and never load the website.
I have attached a picture of what I am seeing in Fiddler.
thanks
FiddlerTrafficwith404error
One of the reasons for this behavior is the browser stores the page in cache that is already loaded in browser once. Try opening the page in incognito/private mode (depending upon what your browser calls it) or try clearing your browser's cache and history.
So I get the following error in Chrome console:
Mixed Content: The page at 'https://your-username.github.io/' was
loaded over HTTPS, but requested an insecure stylesheet
'http://yui.yahooapis.com/pure/0.6.0/pure-min.css'. This request has
been blocked; the content must be served over HTTPS.
Basically the yahoo pure library is being served over HTTP. Is the only solution simply to download it and link to it in a "relative directory" format from my index.html page (e.g., "./pure-min.css")?
As suggested in this issue, try instead
replacing all occurrences of http://yui.yahooapis.com with https://yui-s.yahooapis.com.
You can see it used in this YUI Library Examples: ProfilerViewer Control.
In chrome, I can call a secure URL (exampleB.com) from a INsecure page (exampleA.com); in firefox, they block it
Is this a bug, it seems HTTPS should be allowed from anywhere?
Resource being called is simply an IMG tag / GET request.
This was a bug with firefox itself. The CORS handling was backwards :)
I have problems with setting up goals in Google Analytics. There are a few bugs in the order page, which I think are causing the problem. With the help of GA debug extention I managed to reach the following errors (5) and warnings (4):
(Here are only the errors, unfortunately 2 as I am not allowed to post more than two links)
-> Mixed Content: The page at ''https://www.xxx.de/de/xxx/'' was loaded over HTTPS, but requested an insecure script 'http://delivery.fpmserving.com/tag.php?tag_id=53&campaign_id=32'. This request has been blocked; the content must be served over HTTPS.
-> Mixed Content: The page at 'the same as above' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'the same as above'. This request has been blocked; the content must be served over HTTPS.
Furthermore, the Page source could not load.
Is there any way that I could remove this insecure script? And make sure that the content is served over HTTPS?
PS: I am not a Developer and unfortunately I am not really familiare with HTML and HTTPS, although I try to inform myself!
As in case of Google Chrome browser Google Chrome CSP
There are whitelisting of origins -
Currently, we allow whitelisting origins with the following schemes:
blob, filesystem, https, chrome-extension, and
chrome-extension-resource.
Is there any listing of such origins for Firefox. We are trying to write an add on for Firefox which will need to load as an iframe.
I currently get following CSP error when I am trying to load a frame.html read from my addon XPI resources. Its a frame which then loads the actual frame.
Content Security Policy: The page's settings blocked the loading of a
resource at data:text/html;
iframe with chrome-extensions:// as the path works for Chrome browser nothing like that is available for Firefox. (atleast I am unable to trace such a thing)
Please give us some suggestion if we can do a path to get iframe extension working.
On Firefox data:, blob: and filesystem: are subject to CSP. Use chrome: or resource: instead.
update:
Apparently this approach will not work with the Add-on SDK, probably due to sandbox restrictions.