I enabled SSL on my website which is hosted on Blogspot with a custom domain and I encounter this error in console which asks me to Load Unsafe Scripts on the address bar.
What I see in Inspect Element:
This has nothing to do with IPv4. The error just says that, while your page was served over https, it's trying to load an external script via http, which Chrome doesn't allow. You must modify your page to load all resources over https.
Related
My site has a server-level redirect from HTTP to HTTPS, but Chrome shows "Site is note secure" warning before redirecting even though the user will never see the insecure site. This is a bad UX because the user has access to a secure site and Chrome is the one not checking if secure access / redirect is available. Most sites redirect from http to https but only some of them are blocked on Chrome. What is the reason for this? How can I fix this on my sites?
My site is https://theinfinitezero.com
But if I just put http://theinfinitezero.com
it gets blocked instead of redirecting.
I search everywhere I found 0 information about this specific redirect.
I have app that I need to use "HTTP" to function, recently chrome started to redirect my app to HTTPS automatically, and If I put HTTPS to HTTP code in my app it cause infinite loop.
My app is not on the HSTS preload domain list, my app and server have no redirect code to HTTPS.
Request URL: http://4444.com/z.txt
Request Method: GET
Status Code: 307 Internal Redirect (from disk cache)
Referrer Policy: strict-origin-when-cross-origin
Cross-Origin-Resource-Policy: Cross-Origin
Location: https://4444.com/z.txt
Non-Authoritative-Reason: DNS
This does not happen on any other browser other than chrome.
Does that mean chrome is targeting my host's dns to make sure all website hosted on the DNS is HTTPS?
If yes I think this is very bad move from google as I can't find any announcement by google that they will start forcing https on websites. This could break many non https sites without prior warning.
If not what can I do to fix this issue?
Thanks
I encountered the same problem just like you, and that situation didn't happen all the time, sometimes when I open another window as incognito mode, the redirect disappeared!Sooooo Annoying:(
And I just tried another way, it seemed to work fine with me!
go to : chrome://net-internals/#dns, and click Clear host cache , then refresh your page, the redirect will be gone!
Even if the "Always use secure connections" (chrome://settings/security) is disabled, chrome will still try to use HTTPS if it finds HTTPS records in DNS, as per #dns-https-svcb flag - "Support for HTTPS records in DNS" (chrome://flags/#dns-https-svcb) - which is enabled by default.
This causes the loop leading to the ERR_TOO_MANY_REDIRECTS with Non-Authoritative-Reason: DNS.
Either remove any HTTPS record from the host zone file or disable the aforementioned flag from chrome.
Did you access websites using VPN? VPN server seems able to force http to https
I have a project that I have to inject Javascript into websites using the browser. I mean that I go to developer tools -> console -> enter the following:
window.FO_DEBUG=true;
var b=document.getElementsByTagName("head")[0].appendChild(document.createElement("script"));
b.src="//path-to-file//"
The issue is that I cannot inject code from my local machine for HTTPS websites.
The only way I found to do it is to inject a file from another HTTPS server.
Do you know any way of injecting a file from my local machine to an HTTPS server?
It's possible to inject scripts to HTTPS websites as long as the origin of these scripts is HTTPS server.
Therefore, the easiest way to do it is to create a local HTTPS server, and inject the script from this https server.
The following videos show perfectly how to do it:
https://www.youtube.com/watch?v=zTlc5Z59FpA&t=208s
https://www.youtube.com/watch?v=VbNPi2gaJpU
I'm getting the errors when testing my application locally since I switched to https:
Warning: Domain www.example.com does not specify a meta-policy.
Applying default meta-policy 'master-only'. This configuration is
deprecated. See http://www.adobe.com/go/strict_policy_files to fix
this problem.
Error: Request for resource at
https://www.example.com/?json=user/get_logged_in_user by requestor
from http://localhost:8888/Test-debug/Test.swf is denied due to lack
of policy file permissions.
I tried changing my localhost to https but got the following error:
Secure Connection Failed
An error occurred during a connection to localhost:8888. SSL received
a record that exceeded the maximum permissible length. Error code:
SSL_ERROR_RX_RECORD_TOO_LONG
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.
From what I've read I can upload and add a policy file and changing secure to true but I don't want to allow calls from anywhere. Once the swf is on my server everything works fine.
Is there a way to get this to work locally for testing? Is there something that I can enable while testing like:
Security.allowDomain("localhost");
Or do I have to upload a cross domain policy and then delete that policy when I'm done testing?
Since my local site is running locally in the browser shouldn't it be able to make a connection to a https connection?
Using of https (btw it does not configured properly according to message you posted (did you use FireFox to test?)) will not help. The problem is that www.example.com does not have crossdomain.xml policy file, so flash player does not allow to access that domain from your localhots which is also a domain.
If you have an access to www.example.com add policy file here with wildcard access, if not - test via http is possible only with mocking response with some http proxy.
I changed to testing using file:// (no server) and it works making https calls.
I am facing an issue with my hosted project.
The request with link :- http://......./api_tester.html works fine and
provides results, but, it gives CORS 'Access-Control-Allow-Origin' Missing
when the api_tester.html file is accessed via the browser directly.
The URL for the file in the browser is file:///E:/workspace_windows/api_tester.html
Kindly suggest.
It seems you are trying to open the file directly from desktop, hence it is picking its protocol file:// protocol. Use either complete url starting with HTTP or run from any web server. Secondly error you stated means you are trying to access the page hosted on another domain and this usually happens when you do XHR requests to domain other than the one where your file is hosted.
You can add header "ACCESS-CONTROL-ALLOW-ORIGIN" to the file you are trying to access to allow all requests to be accessible from all different domains.