I haven't been able to figure this out, but for some reason when I use the google libraries and look for a script to use (https://developers.google.com/speed/libraries/devguide#jquery), they are provided without the http... why is that? I've also noticed that google is now doing this on Youtube embed code (which causes my ckeditor youtube embed plugin to see this as an invalid src for an iframe).
Example (without http):
<script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script>
Why not this (with http):
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script>
I have a feeling it has something to do with merging everything over to https. Perhaps this is preparation?
Basically it allows the browser to determine whether to use http:// or https:// based on the protocol that your page is using. If your page is on https then it will use https to get the scripts. Because if you hard code to say http and you page is using https then the browser will throw errors telling the user that the site might not be safe for instance.
Bottom line always use relative URL for scripts, images and all resources and don't hard code the http protocol.
It's a relative URI. It maintains the same scheme as the page was requested with while changing the host and everything subsequent.
Related
So I'm pretty familiar with html, css and java Script. And this moving company I work for wanted to know if I could fix this unsecured link in there html. I used Why no Padlock? and found that this link in the head tags is unsecure
https://www.whynopadlock.com/results/bcfb1f57-2f59-4787-8979-24beea641fe0
You can see that it's using http. Would making it https fix the issue or break the link?
Test result:
A file with an insecure url of "http://fonts.googleapis.com/css?family=Open+Sans:400,300,600,700,800&subset=latin,latin-ext" was loaded on line: 20 of your site.
This URL will need to be updated to use a secure URL for your padlock to return.
I just had a look at your test results, it basically says that you include a google fonts stylesheet. Update that <link to use https:// and you should be good.
Making it https:// will make your site inaccessible if you haven't obtain what is called SSL for your domain.
To fix that, obtain a SSL certificate for your website and the site will be served with https:// even when accessed with http://
So I need to get the body code of an Iframe, in javascript or Jquery or whatever to communicate with my server. I set up my iframe like this:
<iframe src="http://localhost:9090" name="frame" id="frame"></iframe>
and it displays what my http server sent to it just fine, but when I attempt to get the body of my website/HTTP server using this code:
var content=$("#frame").contents().find("body").html(); alert(content);
But it just returns nothing. PS I am using chrome
If your iframe is pointing at a page that is not from the same domain as the page that contains, then the Same Origin Policy will prohibit your page from reading the DOM of the iframe.
If you really have a pressing need to know the contents of the iframe, then use a library like CURL to load the same page on the server side.
Using Chrome or any other browser isn't the problem here. Same-origin policy is. This policy would prevent you to read the content of a site that is hosted at some other domain. Even proxy matters in this case.
You cannot just read the contents of Iframe by just loading it.
https://en.wikipedia.org/wiki/Same-origin_policy Read this to learn more about it.
I have an application that uses Google Drive for document storage and preview functionality, but recently the iFrames that the documents are loading into are not displaying anything. Upon inspection of the console, Chrome declares that it blocked the fram from running insecure content, and that is why the file preview did not load.
The initial call to preview this file is to a url that looks like this:
https://docs.google.com/document/d//preview
There is a redirect along the way that takes the following form but because it uses http instead of https, Chrome blocks the content from loading.
http://www.google.com/url?sa=p&q=https://www.google.com/accounts/ServiceLogin?service%3Dwise%26passive%3Dtrue%26go%3Dtrue%26continue%3Dhttps://docs.google.com/document/d//preview?pref%253D2%2526pli%253D1
Is there any way around this issue? It is blocking a core functionality of my application currently, so any advice would be appreciated. I can provide a screenshot of the full stack of network loads in necessary, but this is the only URL that is not http compliant.
Thanks in advance for your help.
Hacked that. Add a "?pli=1" without quotes at the end of the URL to avoid redirect (after "/preview" or "/edit") and land directly to the document.
It's my understanding that if you have an https site you want all external files - js, css, images, etc - to be https as well, lest you get warnings about having some content that isn't secure or something.
Well I just tried that out and didn't get any warnings at all.
Where do I see these warnings? Also, assuming this is true... is the opposite true? Do you risk any warnings if you include https content on an http site?
FWIW I tried this:
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js"></script>
Google has people doing this by default:
<script src="//ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js"></script>
That'll make it so it's fetched from either http or https depending on what your website is using. Of course if https on http doesn't give any warnings it seems that doing https for all js files would work just as well..
Error messages will be displayed on the user/viewer's browser.
[This site] (https://security.stackexchange.com/questions/1692/is-posting-from-http-to-https-a-bad-practice) has some explanation why there are error messages.
Assuming you are asking how google's code works, it is called a protocol-relative URL. The protocol of the linked file will inherit the protocol of the page including it.
So if your page is https then it would send for it over https.
You can use
<script src="https://ajax.googleapis.com/ajax/jquery/1.8.3/jquery.min.js"></script>
Or remove the "https:" and have the js sent over https, provided your page is https.
Just to add another thing, if you load content through http on a https webpage, then you'll get warnings, but if you do the opposite, then there wont be any, but keep in mind that https is a slower than http. So use https only on https pages.
I want to remove insecure content from site
I added facebook social networking box by using following GWT code in HTMLPanel
< iframe width='244' height='242' class='fb-fan-box' src='https://www.facebook.com/connect/connect.php?id="+ FacebookConstants.FB_DUBLIN_PAGE_ID+ "&connections=10&stream=0&css=https://www.supergroupers.com/facebook.css' frameBorder='0' scrolling='no' allowTransparency='allowtransparency'>
but when i run above code in browser it internally adds following css file which is insecure
< LINK rel=stylesheet type=text/css href="http://external.ak.fbcdn.net/fbml_static_get.php?src=https%3A%2F%2Fwww.supergroupers.com%2Ffacebook.css&appid=106562422725875&pv=1&sig=52d2643d471dad5f75d528ba4ea74dcb&filetype=css">
Is there any why to change that http to https
Thanks
but
You should realize that adding content from any other external domain is in itself a security and privacy issue. If you are building a website that warrants https, you should NOT be including content from facebook.
Second, the issue you describe is a problem with facebook. They should be using protocol relative urls, and they are not. Nothing you can do to fix it, unless facebook provides a https version of their site that has a different url.