Remove insecure content from the page - html

I want to remove insecure content from site
I added facebook social networking box by using following GWT code in HTMLPanel
< iframe width='244' height='242' class='fb-fan-box' src='https://www.facebook.com/connect/connect.php?id="+ FacebookConstants.FB_DUBLIN_PAGE_ID+ "&connections=10&stream=0&css=https://www.supergroupers.com/facebook.css' frameBorder='0' scrolling='no' allowTransparency='allowtransparency'>
but when i run above code in browser it internally adds following css file which is insecure
< LINK rel=stylesheet type=text/css href="http://external.ak.fbcdn.net/fbml_static_get.php?src=https%3A%2F%2Fwww.supergroupers.com%2Ffacebook.css&appid=106562422725875&pv=1&sig=52d2643d471dad5f75d528ba4ea74dcb&filetype=css">
Is there any why to change that http to https
Thanks
but

You should realize that adding content from any other external domain is in itself a security and privacy issue. If you are building a website that warrants https, you should NOT be including content from facebook.
Second, the issue you describe is a problem with facebook. They should be using protocol relative urls, and they are not. Nothing you can do to fix it, unless facebook provides a https version of their site that has a different url.

Related

Can I fix an unsecure link in the html by adding an 's' and making the url https instead of http?

So I'm pretty familiar with html, css and java Script. And this moving company I work for wanted to know if I could fix this unsecured link in there html. I used Why no Padlock? and found that this link in the head tags is unsecure
https://www.whynopadlock.com/results/bcfb1f57-2f59-4787-8979-24beea641fe0
You can see that it's using http. Would making it https fix the issue or break the link?
Test result:
A file with an insecure url of "http://fonts.googleapis.com/css?family=Open+Sans:400,300,600,700,800&subset=latin,latin-ext" was loaded on line: 20 of your site.
This URL will need to be updated to use a secure URL for your padlock to return.
I just had a look at your test results, it basically says that you include a google fonts stylesheet. Update that <link to use https:// and you should be good.
Making it https:// will make your site inaccessible if you haven't obtain what is called SSL for your domain.
To fix that, obtain a SSL certificate for your website and the site will be served with https:// even when accessed with http://

HSTS in iFrame src

I'm building an app that needs to serve websites in an iframe. Since the websites are decided by the user, they usually enter only the domain name, like google.com, or facebook.com. To render the website in an iframe i need to add http:// to this (I can't add https://, since the website may not be served over ssl which will cause it to not render at all.)
For this reason, I am forced to not use ssl on my website, since due to the mixed content policy, I can't add iframes that request http. I wish to know if there's a way to force hsts in the iframe src. For example, if I request http://example.org, the iframe will automatically render https://example.org (since it exists.)
HTTPS doesn't allow you to serve HTTP content. All content on the page must be a secure connection, including iFrame. This is browser standard so there's no work around to be had. Either your page has to be HTTP or the iFrame has to be HTTPS.

Mixed content in Chrome and IE

In my HTTPS enabled site I have added an iframe that should show content from my other site, but it is not working under https.
<iframe src="//myothersite.com"></iframe>
In Firefox latest version everything works good.
In Chrome, the iframe isn't loaded and in the console I see these two errors
Mixed Content: The page at 'https://mysite' was loaded over HTTPS, but requested an insecure resource 'http://myothersite.com'.
This request has been blocked; the content must be served over HTTPS.
Failed to load resource: net::ERR_CACHE_MISS
In IE content load incorrectly and I see an alert message; if I click Allow Insecure Content, it loads correctly.
The question is: how I can do that IE and Chrome as in Firefox (load mixed content without any alerts)?
Note: I haven't changed any browser settings.
Actually Firefox has started to do the same: How to fix a website with blocked mixed content
It makes sense. If the user access a site using HTTPS is expecting to have a secured experience, and he may not be aware of parts of the application loading under not secure connections. That is the reason why the browser blocks such inconsistency.
You will need to provide HTTPS on myothersite.com.
Obviously it's best not to have mixed content to prevent MITM attacks but for those who can't control the url this should do the trick:
Change the src="http://linkToUrl.com" to
src="//linkToUrl.com/script.js"
enter image description here
when i set the url :
from a https request, it report error :
Mixed Content: The page at 'https://127.0.0.1/index.html' was loaded over HTTPS, but requested an insecure resource 'http://127.0.0.1:8080/download/1.txt'.
This request has been blocked; the content must be served over HTTPS.
Failed to load resource: net::ERR_CACHE_MISS
when i added the target="_blank" to the url: <a target="_blank" href="http://127.0.0.1:8080/download/1.txt">, it works! , it works!
it's well known that target="_blank" means opening the linked document in a new window or tab or a new request!
I'm sorry this isn't as technical as the other answers, but I had the same problem linking jsquery like this, and for me it fixed just by changing http:// to https://. It may not work, but it worked for me and it might work for you.
Problem is mixed content, the browser won't allow us to just do that.
You need change url from:
http://example.com
to
//example.com
I'm having other complication with CloudFlare, it doesn't load as the file has been cached as http. Just go to CloudFlare and "Purge Everything" in cache tab, or else turn on "Development Mode".

HTML5 reading Iframe body

So I need to get the body code of an Iframe, in javascript or Jquery or whatever to communicate with my server. I set up my iframe like this:
<iframe src="http://localhost:9090" name="frame" id="frame"></iframe>
and it displays what my http server sent to it just fine, but when I attempt to get the body of my website/HTTP server using this code:
var content=$("#frame").contents().find("body").html(); alert(content);
But it just returns nothing. PS I am using chrome
If your iframe is pointing at a page that is not from the same domain as the page that contains, then the Same Origin Policy will prohibit your page from reading the DOM of the iframe.
If you really have a pressing need to know the contents of the iframe, then use a library like CURL to load the same page on the server side.
Using Chrome or any other browser isn't the problem here. Same-origin policy is. This policy would prevent you to read the content of a site that is hosted at some other domain. Even proxy matters in this case.
You cannot just read the contents of Iframe by just loading it.
https://en.wikipedia.org/wiki/Same-origin_policy Read this to learn more about it.

script src="//ajax.googleapis.com, where is the http?

I haven't been able to figure this out, but for some reason when I use the google libraries and look for a script to use (https://developers.google.com/speed/libraries/devguide#jquery), they are provided without the http... why is that? I've also noticed that google is now doing this on Youtube embed code (which causes my ckeditor youtube embed plugin to see this as an invalid src for an iframe).
Example (without http):
<script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script>
Why not this (with http):
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script>
I have a feeling it has something to do with merging everything over to https. Perhaps this is preparation?
Basically it allows the browser to determine whether to use http:// or https:// based on the protocol that your page is using. If your page is on https then it will use https to get the scripts. Because if you hard code to say http and you page is using https then the browser will throw errors telling the user that the site might not be safe for instance.
Bottom line always use relative URL for scripts, images and all resources and don't hard code the http protocol.
It's a relative URI. It maintains the same scheme as the page was requested with while changing the host and everything subsequent.