upgrade-insecure-requests directive works but a warning is displayed anyway - google-chrome

I'm loading external content on my web site and I have no control on this content.
My web site is served over HTTPS but some of the external URLs use HTTP.
So I added the upgrade-insecure-requests policy.
This works and I can see in the Chrome DevTools that all external resources are served over HTTPS.
But recently I started getting this warning:
Also, when such content is loaded, the little padlock on the left of the address bar is removed.
Is this warning only there to tell me "hey, I did my job but you should do something about those insecure URLs" or is there something else I'm missing?
NOTE: It works as expected with Firefox: HTTP becomes HTTPS, no warning and the padlock remains.

I seems that it was a false alarm from Chrome since this warning has disappeared.

Related

I have https on my page but Chrome says it is not secure

I have https on my page but Chrome says it is not secure. I dont understand what is wrong. Look at the screenshot.
You are loading an image over HTTP and so the content is mixed causing the warning.
The image in question is dark-grey-tile.png it's coming from http://plugins.jquery.com/jquery-wp-content/themes/jquery/images/dark-grey-tile.png note the http here - not https

Remove mixed content warnings for development in chrome

I am developing a chrome extension which loads a url in an iFrame. The actual url is hosted using https, however I want to debug it on localhost, thus wanted to allow mixed content. I can do that by allowing unsafe scripts by clicking the shield icon present in the address bar. The problem is it still generates a lot of warnings in the developer console which spams the console and doesn't let me see the actual debug messages.
Is there a way to remove the Mixed Content Warnings from the console, just for the development purpose?
The warning text example is as follows -
Mixed Content: The page at 'https://www.example.com/' was loaded over
HTTPS, but requested an insecure stylesheet
'http://localhost:8080/test.css'. This content should also be served
over HTTPS.
I just needed to use Filters to select the Logs and Errors and deselect everything else. The Filter option is available in the console view toolbar.

Mixed content in Chrome and IE

In my HTTPS enabled site I have added an iframe that should show content from my other site, but it is not working under https.
<iframe src="//myothersite.com"></iframe>
In Firefox latest version everything works good.
In Chrome, the iframe isn't loaded and in the console I see these two errors
Mixed Content: The page at 'https://mysite' was loaded over HTTPS, but requested an insecure resource 'http://myothersite.com'.
This request has been blocked; the content must be served over HTTPS.
Failed to load resource: net::ERR_CACHE_MISS
In IE content load incorrectly and I see an alert message; if I click Allow Insecure Content, it loads correctly.
The question is: how I can do that IE and Chrome as in Firefox (load mixed content without any alerts)?
Note: I haven't changed any browser settings.
Actually Firefox has started to do the same: How to fix a website with blocked mixed content
It makes sense. If the user access a site using HTTPS is expecting to have a secured experience, and he may not be aware of parts of the application loading under not secure connections. That is the reason why the browser blocks such inconsistency.
You will need to provide HTTPS on myothersite.com.
Obviously it's best not to have mixed content to prevent MITM attacks but for those who can't control the url this should do the trick:
Change the src="http://linkToUrl.com" to
src="//linkToUrl.com/script.js"
enter image description here
when i set the url :
from a https request, it report error :
Mixed Content: The page at 'https://127.0.0.1/index.html' was loaded over HTTPS, but requested an insecure resource 'http://127.0.0.1:8080/download/1.txt'.
This request has been blocked; the content must be served over HTTPS.
Failed to load resource: net::ERR_CACHE_MISS
when i added the target="_blank" to the url: <a target="_blank" href="http://127.0.0.1:8080/download/1.txt">, it works! , it works!
it's well known that target="_blank" means opening the linked document in a new window or tab or a new request!
I'm sorry this isn't as technical as the other answers, but I had the same problem linking jsquery like this, and for me it fixed just by changing http:// to https://. It may not work, but it worked for me and it might work for you.
Problem is mixed content, the browser won't allow us to just do that.
You need change url from:
http://example.com
to
//example.com
I'm having other complication with CloudFlare, it doesn't load as the file has been cached as http. Just go to CloudFlare and "Purge Everything" in cache tab, or else turn on "Development Mode".

What to change in secure connection to set the styles?

I'm developing a website and get the webpage linked here. The problem is that the webpage is not rendered with the styles.
But when I open its source and copy it to a new file on my desktop, the style is now rendered approppriately. I couldn't figure out why it doesn't work on the secure connection. Any ideas?
From my browser's error console:
[blocked] The page at 'https://secure.nesinvakfi.org/nesinyayinevi/test.html' was loaded over HTTPS, but ran insecure content from 'http://www.nesinyayinevi.com/bootstrap/css/nybs.css': this content should also be loaded over HTTPS.
If you are going to use HTTPS, then use it everywhere in the page. Don't inject insecure content into the page, it makes using HTTPS pointless.
Open the console to see all sorts of errors:
The page at 'https://secure.nesinvakfi.org/nesinyayinevi/test.html' was loaded over HTTPS, but displayed insecure content from 'http://www.nesinyayinevi.com/bootstrap/img/grid-18px-masked.png': this content should also be loaded over HTTPS.
Failed to load resource: the server responded with a status of 404 (Not Found) https://secure.nesinvakfi.org/nesinyayinevi/resimler/english.jpg
In the first case, the scheme of the requested URL and the scheme of included resources need to match. Use https://www.nesinyayinevi.com You could also use //www to have the scheme automatically match that of the requested page, but since this is secure.nesinvakfi I have to imagine that it's going to be https.
If you can't use https for nesinyayinevi.com, then you're going to have to copy the resources over or otherwise proxy them through https.
As for the 404 errors, it seems like you are using a relative path like bootstrap/js, but these are for the wrong domain. You need to use the domain absolute path of https://nesinyayinevi.com like you are doing for the CSS files.

Analyze page to see which resource is not transfered in https

I'm trying to use SSL for all the traffic of my website: https://alireza-noori.com. After a lot of struggle I managed to install certificate and make the HTTPS work. However, whenever I visit my homepage, the browser tells me that there are some insecure resources in the page. But it doesn't tell me which ones. I double-checked the source code and didn't find any HTTP link. I've even added some code to .htaccess file to force all connections in HTTPS.
How can I know which resource is causing the problem?
Developer tools (Web Inspector) in Chrome will show you in the console which files failed to load. A similar result can be achieved with the developer tools in any of the major browsers.
Here's more info on Chrome Developer Tools:
https://developers.google.com/chrome-developer-tools/
Here's what I'm getting from the console when visiting your website:
The page at https://alireza-noori.com/ displayed insecure content
from
http://themes.googleusercontent.com/static/fonts/ptserifcaption/v4/7xkFOeTxxO1GMC1suOUYWWhBabBbEjGd1iRmpyoZukE.woff.
The page at https://alireza-noori.com/ displayed insecure content from
http://themes.googleusercontent.com/static/fonts/opensans/v6/k3k702ZOKiLJc3WVjuplzJ1r3JsPcQLi8jytr04NNhU.woff.
The page at https://alireza-noori.com/ displayed insecure content from
http://themes.googleusercontent.com/static/fonts/opensans/v6/DXI1ORHCpsQm3Vp6mXoaTZ1r3JsPcQLi8jytr04NNhU.woff.
The page at https://alireza-noori.com/ displayed insecure content from
http://themes.googleusercontent.com/static/fonts/opensans/v6/EInbV5DfGHOiMmvb1Xr-hp1r3JsPcQLi8jytr04NNhU.woff.
The page at https://alireza-noori.com/ displayed insecure content from
http://themes.googleusercontent.com/static/fonts/opensans/v6/K88pR3goAWT7BTt32Z01mz8E0i7KZn-EPnyo3HZu7kw.woff.
Looks like wherever the fonts are coming from is accessed without
https.