Website shows partial ssl issue in Chrome - javascript

Website I am working on https://www.recordretrieve.com is displaying following error in Chrome:
“Your connection to www.recordretrieve.com is encrypted with 128 bit encryption.
However this page includes other resources which are not secure.
These resources can be viewed by others while in transit,
and can be modified by an attacker to change the look of this page”
This is a WordPress website and when I "View Sources" I can see that all images I uploaded to WordPress are http, and I saw 2 external javascript files (generated by plugin I used) are also http.
Question is, would this error caused by the image I uploaded to WordPress? If so, how do I fix this issue?
Or would this error cause by the links to js files?
Or caused by both of them?

I use WordPress HTTPS on my blog to force HTTPS on everything.
Additionally, you can also set the WordPress Address (URL) and Site Address (URL) in the General Settings Screen to have the https by default.
When you're writing your posts, you need to check if by default you're inserting the http instead of the https
If all this still causes an issue, you should check your theme and plugins to ensure that they are not forcing the http

I ended up installing this plugin to solve the issue: http://wordpress.org/plugins/ssl-insecure-content-fixer/

Related

Javascript / Three.js is not working in https

I recently switched my http site to https.
Since I made this change, one of my projects no longer works.
In this random generator, the background using the Three.js library does not appear when the url is in https
But in http , it works beautiful and well.
Does anyone know any solution to this problem?
Thank you for your consideration in this matter.
You can download the three.min.js file and save it on to your https server.
And instead of loading the script from http server, provide the path of your https server where you put the three.min.js file.
<script src="https://[path to your server]/js/three.min.js"></script>
Open your developer tools and look at the console, you'll find the explanation:
What this means is that you're not allowed to have an https:// site that loads some content via http://. This is called "mixed content" and it's a security vulnerability. If you're serving a secure site, make sure all your content is using the HTTPS protocol.

issue with jsbin editor while using openlayers3 js library

I am learning OpenLayers 3 and I ran into a problem while trying to pull in basemaps to the browser using a JS Bin online editor.
If I write the exact same code in a local text editor (Notepad++) everything works as it should. But not when I am using JS Bin.
Here is the link with the code:
https://jsbin.com/wijoha/edit?html,css,console,output
Can you help me figure out what is wrong with it? I've already spent a couple of hours trying to solve the issue but can't get my head around it...
Looking at the console on the JSBin you have added (the browser window's one, rather than the JSBin one), the CSS is not being loaded as you are attempting to put a HTTP resource into a HTTPS page. The error message reads:
Mixed Content: The page at 'https://null.jsbin.com/runner' was loaded over HTTPS, but requested an insecure stylesheet 'http://openlayers.org/en/v3.10.1/css/ol.css'. This request has been blocked; the content must be served over HTTPS.
Additionally, your JS file ol.js is not loading at all, as openlayers.org does not seem to be accepting serving the file over HTTPS (for me at least, in Chrome).
Instead, try serving everything over HTTP (including the URL of JSBin itself), here is a working example:
http://jsbin.com/focoxoxabo/edit?html,css,console,output

How can I get around this "mixed content blocked" error with Blogger?

I am trying to add a Javascript picture gallery created with Wowslider to my Blogger blog.
I followed the instructions on the Wowslider website, and I thought I could serve the necessary files, including the images, from my server.
Unfortunately, after I set it all up, it didn't work, and by using Firebug, I discovered that the files on my server won't be shown on the Blogger server because my site uses http and Blogger uses https. So I was getting an "Blocked loading mixed active content" error.
As far as I can see, there's no way for me to load a directory of Javascript, CSS, HTML, and image files anywhere on the Blogger server.
Converting my website, which is hosted by a service out of my control, to use https is not an option.
Is there any way I can host my Wowslider picture gallery in such a way that Blogger will display it?
Turns out the problem is not as bad as I thought.
Blogger only serves pages in https mode when you're logged in and editing pages. When a visitor to the site is just viewing the blog, it's in http mode.
This means that if you embed a Wowslider into blogger, you won't be able to see it while you're editing it. However, you, and everybody else, will be able to see it after you publish it, log out, and view it as a visitor.
So in the end it works, it's just a little confusing because you won't be able to see the end result until after you publish.

Issues with cross domain request

I work on a site that pulls images from multiple CDNs and I want to log which image came from which CDN. These CDNs send an extra header param with the images that names the server that sent the image.
Problems:
- Ajax won't work because of the CORS disabled
- Can't use a proxy or put a proxy file on the CDNs because they only serve images
Any tips how to make this work with JS only?
Or maybe with Flash?
Is there a way to "observe" the network with Javascript (like Firebug or Chrome dev tools) ?
I don't know the exact solution for your problem but if I were you I would look at websockets.
There are a lot of questions about it there: https://stackoverflow.com/search?q=websocket+image+javascript
And I think you should look at this too: http://binaryjs.com/

Mixed Content Warning IE: What matters; css, images, everything?

I have just moved my site from http to https and IE-9 started showing non-secure content warning at home page. This warning is understandable because i have one http call to googleapi for getting jquery script. But when I login and enter the inner pages there is no warning from IE despite the fact that most of the images are coming from other servers through http protocol.
So the question: Is getting image over http is fine when accessing site over https? Does only css and js matters? or shall I have to get all the data through HTTPS? If so how is my scenario justifiable (getting images over http from other server on https page without warning)?
If you load CSS and JS over HTTP then an attacker can inject executable code. Unfortunately IE will execute JavaScript within CSS. The problem with loading images over HTTP from the same domain is that the browser will likely spill the session id in plain text which is a violation OWASP a9.
You can use the protocol-relative URL on all your urls to avoid this issue in IE.
Basicaly, instead of linking to a js/image/css by using its full path with the protocol, you instead link to it by leaving out the protocol bit and just using a double slash, //.
This will have the effect of all the above links inheriting the protocol from the parent page.
Of course this depends on you having valid SSL certs on the domains you're serving the different files form.
One other thing to note also is that images in your pages or CSS that are done using data URI could also cause mixed content warnings in IE.
To find out what files are causing issues, I recommend using Fiddler
There is also another tool that a fellow SO user, Eric Law wrote:
Install it from http://www.bayden.com/dl/scriptfreesetup.exe and you will get a different mixed content prompt which shows the exact URL of the first insecure resource on the page. That tool is basically a prototype and you should uninstall it when you're done with it. It works on IE8 and you should install it as admin.

Categories