I have to change a domain from http to https. The running map application uses Openlayers 2.11. OL loads tile layers (Bing, Google, …) which using scripts served over http thus this site gets blocked (mixed content) in Chrome + Firefox.
For Example
Mixed Content: The page at 'https://viewer.example.com/' was
loaded over HTTPS, but requested an insecure image
'http://ecn.t2.tiles.virtualearth.net/tiles/a1202033.jpeg?g=3112'.
This content should also be served over HTTPS.
I cannot upgrade Openlayers!
What chance do I have? Is there a https Version of OL 2.11 or something like "forceSSL = true"?
Cheers,
motorama
Related
I've got a site where I recently started using SSL and now in console I'm getting a couple of errors;
Mixed Content: The page at 'https://www.XXXXX.com/' was loaded over HTTPS, but requested an insecure stylesheet 'http://fonts.googleapis.com/css?family=Droid+Serif'. This request has been blocked; the content must be served over HTTPS.
I've read that I could specify the stylesheet as: //fonts.googleapis.com/css?family=Droid+Serif and omit the http:// or https:// and let the browser determine which scheme/protocol to use, but I'm surprised I've not seen this before and wondering if this is good practice?
For example, in my Wordpress theme development where I am frequently using wp_enqueue_style should I now use this format by default, assuming where you're calling from is able to serve both?
I'm considering just redirecting all traffic to the https version of the site, but still interested to know if this URL scheme is good practice or not?
When loading the site in Safari, I have some images that use a https link, the images do not display on the page, when I open the image URL in the browser, it will not load, saying "Safari can't open the page X because Safari can't establish a secure connection to the server X". This needs to use https links for the images, is there a header or something I can set to allow this to load?
I have tried removing the https, and images load in http, the site we get the images from are used from an API and they they return the image link to use, this does not have an SSL cert on it
not any code, a general question about a setting in Safari if we can avoid using any manual changes that a user will not make on their own.
Expect that the image will load up and thus on the pages that we want to display the images on.
I found a solution to this one here:
https://apple.stackexchange.com/questions/275522/unable-to-load-https-websites-on-safari
The issue is that Safari won't support in older versions the TLS protocol in use in modern-day browsers. I wasn't aware it would be such an old version in use for windows users.
I have a https site and need to show content from other sites that may or may not be themselves https. Predictably enough, I'm getting warning messages like this in the console...
"Mixed Content: The page at 'https://www.example.com/' (my server) was loaded over HTTPS, but requested an insecure image 'http://www.aninsecuredomain.com/image.jpg'. (not my server) This content should also be served over HTTPS."
(not to the mention the fact that I no longer see the little padlock displayed properly in most browsers who now consider my site's network insecure).
I've read through a bunch of posts on SO on this topic, but I can't seem to find a definitive answer on whether there's anything I can do when I don't own the external servers (so can't guarantee they'll have a https version). Appreciate any thoughts on whether this is possible, and if so how I could go about achieving it!
When you need to include content from another domain in an https webpages you can:
Make the owner of the other domain commit to https by explaining him the security reason behind that
Proxy the content through your website or host it yourself (if you have right to do it)
(If you don't see the padlock anymore it's because your page is no longer secure because it include insecure elements that could have been tempered: it's not they "consider my site's network insecure", it is indeed insecure!)
You should use the // prefix. (instead of http[s]://)
On an https page, the secure version wil be loaded.
On on a plain http page, the plain http version will be loaded.
Edit your theme replacing every occurence of http://fonts.googleapis.com/... with //fonts.googleapis.com/...
I've succesfully installed Jmeter and setup the recording. I added the next config elements: HTTP Cookie Manager, HTTP Cache Manager with clear cache every iteration enabled. I'm using Firefox and Jmeter is recording everything that I do in the browser.
But I have one problem: when I go to pinterest.com I receive a white page with black text. Every other website is working like it suppose, but I want to test only Pinterest. When I try to setup a new account...the same: white page with black text. Something is not loading correctly and I don't know what.
Can someone help me with a hint?
When you to through the proxy, your browser doesn't trust HTTPS traffic anymore, because the proxy replaces the certificates. If your page is a HTTP page that uses HTTPS resources like Style Sheets or JS files, you get what you're describing - a plain black text site on white background - where graphic buttons don't work anymore.
If you use firebug to inspect your traffic, you will see the resources that are not loading because of HTTPS certificate issues. You can either add exceptions to your browser to load these resources, or as #aleix suggested you can use a browser plugin like Blazemeter to record scripts without going through a proxy.
See here for more information.
Thank you all for answering to my problem. I've resolved the issue by importing manually the certificate created by Jmeter in his bin folder to Firefox.
It was, indeed, a https certificate problem, but I'd managed it because of your feedback.
Try blazemeter extension for chrome, is a recorder http request like proxy server of JMeter, and maybe it wil allow you to record correctly in pinterest
I have a site with HTTPS configured.
My client wants me to embed a youku video. At first the browser blocked the iframe since it had HTTP protocol on it.
I changed it to HTTPS and now youku does not work. It seems youku does not support HTTPS.
is there any way around this?
Perhaps there is a service other than youku that does support HTTPS and is still suitable for that region?
hi,we had supported(sorry for later)
for example:
1
<iframe height=498 width=510 src='https://player.youku.com/embed/XMTg3Nzg4MzY4NA==' frameborder=0 'allowfullscreen'></iframe>
2
https://player.youku.com/player.php/sid/XMTg3Nzg4MzY4NA==/v.swf
3:
<embed src='https://player.youku.com/player.php/sid/XMTg3Nzg4MzY4NA==/v.swf allowFullScreen='true' quality='high' width='480' height='400' align='middle' allowScriptAccess='always' type='application/x-shockwave-flash'></embed>
Youku player serves some resources (like preview images or alternative sources for video) under http, not https - and this might be the main culprit of "partially insecure content" issue in browsers. This problem is caused by Youku player itself, it's quite possible to change the code loaded from their servers.
However, the problem can be solved in most simple and convenient way by rewriting insecure http requests on given page with secure https requests - it possible to achieve this by including CSP meta tag in page header:
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
The "Content-Security-Policy" response header allows to control resources the user agent is allowed to load on given page (more information here).
What "upgrade-insecure-requests" directive does: "Instructs user agents to treat all of a site's insecure URLs (those served over HTTP) as though they have been replaced with secure URLs (those served over HTTPS). This directive is intended for web sites with large numbers of insecure legacy URLs that need to be rewritten."
The original solution was found in this post.