I'm using sipml5 to connect to a sip phone service and one of the setting is the service websocket server URL. the problem is that the server url is not secured (ex. ws://123.123.123.123:9999/ws) and it cannot be accessed on wss://. Because of that, when loading my site on a HTTPS connection, the browser blocks the request automatically, it doesn't behave like it does when loading let's say, an image over http, and then shows a warning.
Error is: [blocked] The page at 'X' was loaded over HTTPS, but ran insecure content from 'ws://....': this content should also be loaded over HTTPS.
I need to know if there is a way to make the browser connect to ws:// even though the page initializing the request is loaded over https.
Please help.
EDIT:
What I'm looking for is a flag or something like that, in Chrome or Firefox for example, which lets the user access insecure resources even though the page is loaded on https.
Why you are using http? You can get an ssl certificate from https://letsencrypt.readthedocs.org/en/latest/intro.html
then add the following details to http.conf
tlsenable=yes
tlsbindaddr=0.0.0.0:8089
tlscertfile=/path-to/cert.pem
tlsprivatekey=/path-to/privkey.pem
Related
When I pass an URL to load a website, say, http://yoururl.com, it redirects to https://yoururl.com
I mean, passing an URL with HTTP automatically redirects as https://yoururl.com in the browser URL.
#driver.get("http://yoururl.com")
Browser used: Chrome
Is there a way to stop redirecting the HTTP url as HTTPS?
The Chrome 63 and above versions will no longer take HTTP with domain .dev since you are in the local/dev environment.
https://iyware.com/dont-use-dev-for-development/
Chrome 63 (out since December 2017), will force all domains ending on
.dev (and .foo) to be redirected to HTTPS via a preloaded HTTP Strict
Transport Security (HSTS) header
https://ma.ttias.be/chrome-force-dev-domains-https-via-preloaded-hsts/
There are couple of reasons this would happen.
Redirection at load balancer or reverse proxy level.
This can be fixed by altering web server or LB configuration.
As browsers getting smarter everyday, when you open an https url is browser then next time if you even want to open http url it'll by default go to https because browser already knows that the site supports https as well. So it'll prefer to use secured communication rather text when it is available.
Here is some help for second case https://superuser.com/questions/565409/chrome-how-to-stop-redirect-from-http-to-https
I use UIWebview to load https url, mostly https urls work normal in my app, but some urls make the UIWebview delegate webView:shouldStartLoadWithRequest:navigationType: called twice.
First time, the request parameter has the right https url. Second time, the url in request parameter change to http scheme, this cause the url load failed with error 1022: "The resource could not be loaded because the App Transport Security policy requires the use of a secure connection."
I use Charles to see the network, can not see the https request, means not 320 reqeust, not see the http request either, because the request is block by iOS system, so failed with 1022 code
It's so weird, what the problem is!!!
The https url can be load normal in safari or chrome. I create a new project with only the webview load the https url,It's OK
Deployed application on Heroku (zrecipe.herokuapp.com) but it does not work (work perfect local). Code is at https://github.com/zzheads/RecipeSite.
Development tools shows error message:
Mixed Content: The page at 'https://zrecipe.herokuapp.com/'
was loaded over HTTPS, but requested an insecure script
'http://code.jquery.com/jquery-1.11.0.min.js'.
This request has been blocked; the content must be served over HTTPS.
I think problem is my ajax requests in program are trying load something from HTTP, without SSL, page is supposed to be secure but my app are trying to load non-secured objects. How I can get rid of this?
Please use the -s command line parameter.
I have a certificate for a domain example.com. So, every request in my application (MVC 3) is being redirected to the https://example.com. But the problem is, I can see the padlock icon in the Firefox browser
but one second later it disappears and I see that there is no certificate ?
I have no clue what's going on, can somebody enlighten me ? The application is being hosted on Windows Server 2008 R2.
The "...which is run by (unknown)" message is just a message telling you that the certificate only verifies the web site name, not the owner. The message is not very clear and has been reported as a bug to Mozilla.
The "Your connection to this site is only partially encrypted" message means that you're fetching at least some HTTP data as a part of your HTTPS page (check your font/image/media links on the page) and the data fetched via HTTP is not secure. A secure page should only link to HTTPS content, or someone listening to the connection may be able to the insecure communication and figure out what is done over the secure link. For example, if your cookies are not set as secure, they'll be sent over clear text too when fetching data from your site.
All in all, the SSL cert seems to be installed ok, but your page needs some updates to only link to secure content.
I'm working on extensions for Firefox and Chrome. The data used by my extensions is mostly generated from ajax requests. The type of data being returned is private, so it needs to be secure. My server supports https and the ajax calls are being sent to an https domain. Information is being sent back and forth, and the extensions are working correctly.
My questions are:
Do the extensions actually make secure connections with the server, or is this considered the same as cross domain posting, sending a request from a http page to a https page?
Am I putting my users' information at more risk during the transfers than if the user were to access the information directly from an https web page in the browser?
Thanks in advance!
The browser absolutely makes a secure connection when you use HTTPS. Certainly, a browser would never downgrade the security of your connection without telling you: it will either complete the request as written or it throw some sort of error if it is not possible.
Extensions for both Chrome and Firefox are permitted to make cross-domain AJAX requests. In Chrome, you simply need to supply the protocol/name of the host as a permission in your manifest.json. In Firefox, I think you may need to use Components.classes to get a cross-domain requester, as described in the MDN page for Using XMLHttpRequest, but I'm not 100% sure about that. Just try doing a normal request and see if it succeeds; if not, use the Components.classes solution.