I have a site hosted on AWS S3, with CDN managed by Cloudflare. For most purposes the site works fine, but when I try to share it through the social media app WeChat, I get a warning (pictured below) and then the site doesn't render properly. This doesn't happen consistently, but when the warning appears, then the site fails to load properly.
My first line of thought was that the problems might be that the different settings of S3 compared to a more standard Apache server were triggering some security issue in WeChat, and that Cloudflare might fix the problem, but it doesn't seem to have made any difference.
Removing Google Analytics and all CDN-ified resources also doesn't seem to have made any difference.
Any thoughts or input on either weirdness in the WeChat browser's rendering rules or why S3 might be triggering a warning would be greatly appreciated. Running into a bit of a wall here.
tl;dr WeChat shows a warning for certain top-level domains. My site was on a .me tld, which triggered a warning. The page rendering incorrectly is based on the warning (not sure about why these two things are connected)
After messing around with https (security issues) and removing all CDN-ified assets (thought they might be blocking down rendering), and hosting the site in China vs outside of China, I finally stumbled upon this. Nothing else matters. Its just the tld that triggers the warning and causes the rendering problem.
Related
Click Me
This used to work as a valid href attribute but it seems in the past few months it now shows an error in the console (I'm using Chrome):
Not allowed to load local resource: view-source: http://stackoverflow.com
I found some links from 2013 where this was once a bug in Chrome but said it was fixed.
Could someone point me to an authoritative source that can explain why this no longer works? I assume that this is security by the browser and not an angular issue (since view-source is whitelisted and used to work)
Looks like Chrome and Firefox (at least) disabled this within the past year or so
I found this thread, and these release notes explaining why and provides a timeline as to when the change took place.
Related StackOverflow question: File URL "Not allowed to load local resource" in the Internet Browser
Chrome responds with the "Not allowed to load local resource:" as a security protocol. I'm not sure why this used to work, but not now, though there is no real way around this unless web-security is disabled. There may be a different outcome on other browsers, but ultimately you are correct in thinking that it's Chrome's security.
The reason is that Chrome tries to preload URLs in background, to speed up your browsing experience.
If you open the DevTools after loading the page, the content of the items listed on the Resources tab may not be populated. This is also true of network requests on the Network tab. To see the fully populated resources on the Resources tab, first open the DevTools, then refresh the page, or navigate to the desired page with the DevTools open. Now select the html resource and it should be populated.
Chrome is forcing https (as well as adding https to every internal link) to everything on my site, even though I have https support disabled/don't want to use it.
This occurred after I went to my site's cpanel (which requires you go through https). I changed no settings, and after that Chrome forces it. Only occurring on Chrome (firefox is working fine), and only on one computer.
Of course, I tried restarting, clearing cache/cookies as well as going to chrome://net-internals and deleting the domain from HSTS. Nothing works.
Any ideas? Thank you
I had the same issue and to all odds it had something to do with my website itself. In my case I'm running WordPress & WooCommerce on my site and it seems like by deactivating WooCommerce my issue was solved. Still not sure how to properly fix this since as soon as I activate WooCommerce again the same issue re-appears. However, at least I know now where the issue is coming from and can dig around further.
I noticed the same issue with WooCommerce 2.3. Earlier versions don't have the same issue. My workaround was to load my site using Internet Explorer {the horror}.
I'm having a very strange problem with a site in Google Chrome:
When I click on a link (from a list view to a detail page), the page hangs and I Chrome throws up a dialogue asking me to kill the page. The page is never displayed.
But if I navigate directly to the page, it loads in Chrome without any problems. Both actions (clicking on a link or navigating to the page) work fine in Safari and Firefox.
Disabling "Predict network actions to improve page load performance" in Chrome's settings seems to fix the problem, but this is not a viable solution as I don't have any control of my user's browser settings.
Some more detail about the situation:
The link is just a regular <href>. I'm not doing any javascript
click() handling or anything else. I'm not using any 'prefetch' or 'prerender' <link> elements.
The pages all validate using the W3
html5 validator.
The page I'm navigating to loads a lot of JS, uses Knockout.js for rendering and loads a video file over HTTP.
On the occasions that the page does load (after a very long wait),
Chrome appears to have rendered the entire page in the background and
loaded all external resources. If I navigate directly to the page it
doesn't preload anything though (I'm using knockout to show a 'please
wait' message while the external resources load).
When I log the network requests using Charles, it appears that
Chrome loads the HTML for the page instantly, but the requests for
the external resources seem to take forever.
If I look at the CPU usage in Activity Monitor, 'Google Chrome Renderer' uses 100% CPU when loading from the href, but only 30% when loading directly from the page.
I'm using the latest version of Chrome (22.0.1229.94)
So - my question
Is there a way to programatically disable "Predict network actions to improve page load performance"?
Or is there some other solution to this problem?
Just going through high voted unanswered questions I came across this one, and I once got into a similar situation for entirely different reasons (chrome was preloading a huge file I couldn't afford to load for every user). The fairly simple solution I applied back then was to open the link through Javascript rather than a simple href which worked wonders. Either way, your problem might already be solved, but seeing the number of views I thought I could at least share this small insight.
Visiting my site in SSL and in Chrome (12.0) I get
Your connection to someWebsite is
encrypted with 256-bit encryption.
However, this page includes other
resources which are not secure. These
resources can be viewed by others
while in transit, and can be modified
by an attacker to change the behaviour
of the page.
The connection uses TLS 1.0.
The connection is encrypted using
AES-256_CBC, with SHA1 for message
authentication and DHE_RSA as the key
exchange mechanism.
The connection is compressed with
DEFLATE.
I searched with FireBug (NET tab) and Chrome Inspector and all resources are accessed via https. Where is the problem? *I cleared the cache already
What could be the problem?
Chrome will give this error if you've visited another https page on the same domain that had mixed content however this should not be the problem if you've tried clearing your cache.
You might want to try Ctrl-Shift-J for the JavaScript console, it should show the insecure content.
I have the same thing - and I read from the Google Chrome help site that elements on the site are not encrypted - like videos. I looked via Firefox - right click->View Page Info->Media tab and saw that every time I use a YouTube video in my video player I have plain http addresses like:
http://s.ytimg.com/yt/swfbin/watch_as3-vflrEm9Nq.swf and
http://img.youtube.com/vi/V6JgyNy59yA/1.jpg
I think these non https links are causing the security message site-wide. Thus, it appears using videos from 3rd party sites will always throw a security error in Google Chrome for https pages.
That's my answer - but I have no solution yet. I need to be able to share videos from youTube in our news section, but my online store section needs to use https without scary red letters and slashes through it for my clients.
Has anyone dealt with this effectively?
Thanks
Had the same problem on my Magento Site. Be sure to change all image and js links (even in .css) from http:// to simply //. Solved it for me.
I had the same issue, my problem was that some img tags had src to http instead of https, it does not matter even they link to other domain like <img src="http://otherdomain.com/image.jpg" /> it still shows that warning. As soon as I changed all internal and external img links to https the warning disappeared.
If you check the page and it seems to have no insecure content, check to make sure that something on the page is not submitting data to an insecure location.
Content should be submitted over HTTPS, not HTTP.
In Firefox, I view my site and get no warnings about insecure mixed content.
Using FireBug, I can see that every request is https.
In Chrome, I get the https crossed out in the address bar.
I viewed source in Chrome and then ran this regex /http(?!s)/ but the only things it found were the href attributes for some external links and the doc type and http-equiv meta tags.
Using Chrome's Resource Tracking revealed all requests were https too.
This includes Google Analytics, jQuery from Google's CDN and Facebook like scripts.
Is there any specific tool I can use to show non https requests, or anything further I can try?
I found that I get the "mixed content"-warning in Chrome even when there is no mixed content, if sometime during the session mixed content was already encountered on the domain.
(Also mentioned here: Why is Chrome reporting a secure / non secure warning when no other browsers aren't?)
In Chrome's Developer Tools, the Console tab shows the resources that it won't load because they unsecure.
You can add the "scheme" column to the Chrome developer tools network tab to show which requests were sent over http or https:
Press F12 to show the developer tools
Switch to the Network tab
Right click in the column headers and select "Scheme"
Reload the page to show which elements are loaded over http or https
In situations like this where it's helpful to see exactly which protocol is being used to load resources, I would recommend Fiddler2 as a browser-agnostic solution that can show you exactly what traffic is occurring on each request.
From the site:
Fiddler is a Web Debugging Proxy which logs all HTTP(S) traffic between your computer and the Internet. Fiddler allows you to inspect all HTTP(S) traffic, set breakpoints, and "fiddle" with incoming or outgoing data. Fiddler includes a powerful event-based scripting subsystem, and can be extended using any .NET language.
Edit: In-browser debugging tools are becoming really good so this third-party tool may not be as useful as it was when this answer was first written.
Open up the Web Inspector and find the yellow triangle (warning) in the top right. Click on it and it will display all security issues.
In 48-th version of chrome they added a security panel. Using it you can quickly identify the mixed content resources:
Do you have the HttpFox plugin for FireFox? That'd work, I think.
Among other things, it reports on the URL, Method, Result Code, and bytes of all the assets that a web page requests. It's what I've used to trap the occasional non-HTTPS graphic, etc. I'm sure the other suggested tools would do the same...
You can use SslCheck
It's a free online tool that crawls a website recursively (following all internal links) and scans for nonsecure includes - images, scripts and CSS.
(disclaimer: I'm one of the developers)
I know this post is old, but I ran across it and had the same issue. I clicked on the Chrome menu (top right corner), scrolled down to Tools> and selected Developer Tools. Clicked on the Console tab and it told me exactly what the problem was... the favicon was served over http, not https, but of course it was not in the page source code. Corrected the problem in my CMS, which loads the favicon without code in the page... and no more error!
Note that 'mixed content' and 'mixed scripting' are detected seperatly. Check this site for the meaning of the icons in Chrome: https://support.google.com/chromebook/answer/95617?p=ui_security_indicator&rd=1 (click 'see details' link).
Grey icon = mixed content, red icon = mixed scripting.