I'm quite new to bookmarklets. I'm trying to load a javascript file from my own server/domain by using the following bookmarklet/javascript code:
javascript:(function(){s=document.createElement('script');
s.type='text/javascript';
s.src='http://www.test.com/js.js?v='+parseInt(Math.random()*99999999);
document.body.appendChild(s);})();
This code works nicely (js.js is loaded and executed) when i press the bookmarklet on my firefox toolbar when visiting pages on the test.com domain.
But when i go to google.com or any other sites and press the bookmarklet button the http://www.test.com/js.js isn't even loaded (looking in server log)
I know about cross domain restrictions but don't they apply to ajax request and related things?
This has nothing to do with CORS
You are loading unsafe content (http) in a secure page (https). Mixed content on secure pages don't work. You need to serve your script with https as well
Related
Here are the links to the page in question:
http version
https version
The https version of the page doesn't render the video embedded on the top of the article. I inspected the source code and found that HTTPs is missing an entire block of code, as you can see in the images below:
I wonder how this happens? Isn't http(s) just the protocol to communicate with the server? Why do I get different code by using different protocols?
From Chrome Developer Toolkit:
The page at 'https://www.eyeviewdigital.com/blog/eyeview-launches-addressable-tv-ads-with-cablevision-dish-programmatic-tv-w-clypd-and-wideorbit/' was loaded over HTTPS, but requested an insecure script 'http://pshared.5min.com/Scripts/PlayerSeed.js?sid=281&width=480&height=401&playList=519141523'. This request has been blocked; the content must be served over HTTPS.
You typically need to load your content in either http or https. Mixing them together results in the error above.
On line 252 replace
http://pshared.5min.com/Scripts/PlayerSeed.js?sid=281&width=480&height=401&playList=519141523
with
https://delivery.vidible.tv/aol?sid=281&width=480&height=401&playList=519141523.js
Long story short the content was never loaded so the page looked different.
You're right that there should be no difference based on http/https as it is just the transport layer. There must be something in the server's code that is producing the html, that behaves differently based on the url used to make the request. I suggest you provide information on the web server code to help analyse the issue.
This is most likely caused because you're loading elements from insecure sources. Google Chrome for example, loading an image over http when your page is loaded over https can result in the image not loading at all. This is all for security purposes, of course. Just go through all of your code and make sure all sources are accessed through secure https so that they load in properly.
My Drupal e-commerce site is working on https.I want to embed below code to a page.
<iframe src="http://files.podsnack.com/......"(not exact code)
But src is on http, due to this not able to load the iframe in the page. I am getting below error.
Blocked loading mixed active content "http://files.podsnack.com/iframe/embed.html?hash=avcsgijp&t=1402616221"
carouFredSel: No element found for "#clients-scroller".
plugins... > eval (line 1)
Given URL is not allowed by the Application configuration.: One or more of the given URLs is not allowed by the App's settings. It must match the Website URL or Canvas URL, or the domain must be a subdomain of one of the App's domains.
Note: src will not work on https.
Please advise.
I'm afraid you cannot load an iframe via http on a https page securely, thus getting the errors. Browsers are beginning to just completely block this now, where as older browsers would just give a warning.
The only way to get it to load is using https for the iframe, or accessing the page via http instead of https.
See this blog post about Firefox introducing the block: https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/
and here's a page about IE blocking mixed content: http://support.microsoft.com/kb/2625928
and here's a page about Chrome blocking mixed content or warning about it: https://support.google.com/chrome/answer/1342714?hl=en
And see this post for a general explanation of the problem: https://developer.mozilla.org/en-US/docs/Security/MixedContent/How_to_fix_website_with_mixed_content
I am login into a URL say
<https://test.ur>/hix using https
Now when I am navigating to other page clicking a link Nothing is getting loaded in the chrome browser and I am getting below exception in the chrome browser console
I am getting an issue like
The page at '<<https://test.ur>>/hix/account/signup' was loaded over HTTPS, but ran insecure content from 'http://test.ur/hix/entity/locateassister/locateassistancety…%22%2C%22Yuchi%22%2C%22Yuma%22%2C%22Yupik%22%2C%22Yurok%22%2C%22Zuni%22%5D': this content should also be loaded over HTTPS.
I am using spring in all of my application and using relative URL to navigate.
Also on this portal on whichever page I navigate I get
GET https://themes.googleusercontent.com/static/fonts/robotoslab/v3/y7lebkjgREBJK96VQi37ZobN6UDyHWBl620a-IRfuBk.woff net::ERR_SSL_PROTOCOL_ERROR
in the browser console
When you're on an HTTP page, it's insecure to call HTTP content (to get JS, image or in iFrame).
Some browsers (and some versions) will block these contents. Some others will show you a message to inform you.
Solutions
First: What you can delocate all your HTTP resources into HTTPS (if possible).
Second: If the resources are on the same server as the one who serves the page, you can also load resources with relative path and not with absolute path. Or you can do a protocol relative path. For example, instead of
<img src="https://localhost:8080/img/logo.png" />
You will write
<img src="//localhost:8080/img/logo.png" />
I need to check, if website in iframe is loaded properly. On my website, users can POST custom website, which will show them in iframe. But some websites are protected from insert to iframe (such as google or facebook).
How can I check, if is website loadable in iframe and can be used in iframe?
PS: I haven't show any code, because I have no code and no idea how to do it. (My website runs on Java, so no Apache or PHP).
Check HTTP response header for X-Frame-Options. Facebook sends X-Frame-Options=DENY, which means "The page cannot be displayed in a frame, regardless of the site attempting to do so."
The X-Frame-Options HTTP response header can be used to indicate
whether or not a browser should be allowed to render a page in a
<frame>, <iframe> or <object>. Sites can use this to avoid
clickjacking attacks, by ensuring that their content is not embedded
into other sites.
Check this: Accessing the web page's HTTP Headers in JavaScript
I have a web application which has root html and this html (say index.html) loads some java script. This application is accessible through https and I want to load one java script which is exposed over http.
https://mydomain/index.html contains this line of code:
<script src="http://unsecure/custom.js" type="text/javascript"/>
When I try to run my application thorugh IDE everything works fine but problem happens when I bundle my application in war file and run it.
It fails to load the included java script by saying:
[blocked] The page at https: //mydomain/ ran insecure content from http: //unsecure/custom.js.
Is there any way to load this unsecure javascript or do I need to publish this unsecure javascript through a secure way and then access it (can change this included java script protocol from http to https)?
All content which is used by a site, which is accessed through HTTPS, must use HTTPS as well, otherwise you get this warning.
The reason for this: If not all content of a HTTPS site is HTTPS, the browser can't tell that the site is "secure" and therefore gives the user a warning.
You could either do below two things:
1) Download it over your local and create war. Then you would be using relative path.
2) Place in some https location.
If its a third party library and you do not have control on the frequent changes that would happen for this library, you could ask them to put it in https. Majority of the times hosted JS would be both http and https too.