I'm working on a pretty large booking site, I recently discovered that we got many requests that just didn't go through because of missing parameters error.
I checked out logs and noticed that all browsers running safari (both mobile and desktop, and some older versions of IE) had this problem.
The problem is that when we go from our search step to our booking we switch over to https, this is done via the "always https" option in cloudflare, with a pattern that looks like: http://www.exampel.com/Booking/*
The url for the page I want to access is:
http://www.exampel.com/Booking/Book#!/?Product=1&product=2
Clicking the link will lead me to that page in chrome and firefox, but NOT in safari (and some older versions of IE) that will send me to:
http://www.exampel.com/Booking/Book
I ran into this problem of Cloudflare dropping query strings and got around it by not using the Always uses https option. Instead I created these 3 redirect rules:
http://example.com/* Forwarding to https://www.example.com/$1
http://www.example.com/* Forwarding to https://www.example.com/$1
https://example.com/* Forwarding to https://www.example.com/$1
You can adjust them if you want the non www url to be available and not redirect away from it. In my case I directed everything to the https://www.example.com version.
I'm not sure why you were seeing it only on certain browsers though.
Related
We have a HTTPS website and I need to display a HTTP website (any external website) into my page. The website used iframe for displaying it. We realised that it doesn't work in mozilla firefox. We are getting a "mixed content" error. I am searching for an alternative to iframe now. I understand that it makes no sense to bypass the security warning. We also do not want to change any browser settings as it is possible that all the users may not have permissions to change browser settings. Using tags like <embed> or redirecting in <div> tag also gives the same problem.
Is there any way to do this in C# code and not using HTML and scripting.
Response.redirect() does not work in our application. I do not have a problem if the page is redirected but I prefer a dialog/popup window for the external website to display.
This is simply a security consideration. Your HTTPS site is not truly safe when using mixed content.
Use HTTPS for your external site, period.
As Mozilla suggests:
The best strategy to avoid mixed content blocking is to serve all the content as HTTPS instead of HTTP.
I have a site where the client recently added an SSL certificate, since he has done this it has broke some stuff on the site, noticeably a slider on the homepage of the site.
The only thing I can see in the console is a 'Mixed Content: The page at'https://example.com' was loaded over HTTPS, but requested and insecure script 'http://ajax.googleapis.com...' This request has been blocked; the content must be served over HTTPS.
I have no idea what this means - other than the obvious that I need to get these called over HTTPS.
I have never come across this before. I tried doing a force rewrite in .htaccess which didnt work and I cant seem to understand any stuff online.
Help please!
Thanks
I have a https site and need to show content from other sites that may or may not be themselves https. Predictably enough, I'm getting warning messages like this in the console...
"Mixed Content: The page at 'https://www.example.com/' (my server) was loaded over HTTPS, but requested an insecure image 'http://www.aninsecuredomain.com/image.jpg'. (not my server) This content should also be served over HTTPS."
(not to the mention the fact that I no longer see the little padlock displayed properly in most browsers who now consider my site's network insecure).
I've read through a bunch of posts on SO on this topic, but I can't seem to find a definitive answer on whether there's anything I can do when I don't own the external servers (so can't guarantee they'll have a https version). Appreciate any thoughts on whether this is possible, and if so how I could go about achieving it!
When you need to include content from another domain in an https webpages you can:
Make the owner of the other domain commit to https by explaining him the security reason behind that
Proxy the content through your website or host it yourself (if you have right to do it)
(If you don't see the padlock anymore it's because your page is no longer secure because it include insecure elements that could have been tempered: it's not they "consider my site's network insecure", it is indeed insecure!)
You should use the // prefix. (instead of http[s]://)
On an https page, the secure version wil be loaded.
On on a plain http page, the plain http version will be loaded.
Edit your theme replacing every occurence of http://fonts.googleapis.com/... with //fonts.googleapis.com/...
I am running a site. Some of its pages are not working in Firefox, but work perfect in Chrome. In Firefox it shows me a gray shield next to the URL and when I click on that shield and manually click on disable protection on this page then my page works fine. So now the problem is that there are many users on my site, and some of them don't know how to do it so I want to handle it on my site so its users don't need to do that.
How can I do it? I Googled and found a setting of Firefox in about:config named security.mixed_content.block_active_content. If we set it to false then it works. So is there a way to do it programmatically or other way so that users just view that page without seeing that shield?
As I understand it, content that is blocked by default by Firefox now is http content that is accessed from an https page. Common types of content that fall foul of this are external stylesheets and images.
As far as I am aware the way to prevent the problem on your site is to make sure that if a page is served by https, any and all other files that it references are also served by https.
Hi Friends,
The reason you see this error in Mozilla Firefox is because your
website is a Mixed Box that is, your website has many internal links
which are not SSL protected.
In order to avoid this error from showing up in Mozilla Firefox you
will have to make sure all the internal links on your website are SSL
protected.
So, Use https:// in your page not http://
I hope I was clear enough in answering your query.
firefox has blocked content that isn't secure means there are some contents on your website are not secure.
I had same issue as my fonts were downloading with http://google.apis.something instead of https
Then I change to //google.apis.something and problem get solved.
To know what is not secure in you website use this link
The page http://www.japanforum.com/forum/japanese-language-help/39454-~tara-past-tense-clause.html is accessible using FireFox / IE / Safar / Opera.
However on Chrone, the page doesn't display:
Does anyone know what may be the cause of the problem?
Or rather, what is the explanation for this phenomenon?
I appears that you are trying to redirect to the correct SEO-friendly URL, e.g. if I go to test/39454-foo.html, it redirects me to test/39454-~tara-past-tense-clause.html.
You compare the requested URI to the expected one and redirect if they do not match.
However, there are multiple ways of writing the same URI. Some browsers may send ~ urlencoded and some may not, for example.
So you should canonicalize both URIs before comparing them.
Double-check the redirection settings on your server. Add-on domains should not include "www." when being added. Without this, this will solve the redirection problem.
Check whether all Google's cookies are allowed in your cookie settings (especially see the Manage Exceptions window).
This can sometimes occurs if the URL-mapping of the page has one or more redirect-conditions.
If the software behind tries to redirect to the same URL-mapper (->bad programming).
The result is a loop of mapping und redirecting in the Controller.
Okay, I faced the same issue couple of months ago and as mentioned in Solution 1 here, the culprit is the browser cookies.
You can simply clear the cache and cookies of your browser and the problem will be fixed.