I tried loading NopCommerce from HTTPS protocol, but Images and Scripts has absolute URL which contains http:// so browser blocks them and shows insecure site instead of green ssl lock.
How should I change absolute url of contents with relatives
Related
Is it possible to use non-SSL sources with HLS on a page and playlist served via SSL HTTPS?
I have a page served over HTTPS. It uses Video.js to play a .m3u8 playlist. The playlist is fetched from the same server over HTTPS and is dynamically generated. The individual .ts segments within the playlist are stored on a CDN.
I'm finding that the SSL handshakes for each .ts GET request are high. Would like to instead make the .ts GETs use non-SSL HTTP -- the video content is not sensitive (and if it were, HLS supports symmetric AES encryption which is significantly faster than the asymmetric SSL handshake).
However, Chrome is refusing to load the .ts segments from a non-SSL HTTP source:
video.js:26948 Mixed Content: The page at 'https://localhost' was
loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint
'http://foo.com/20180110144476.ts'. This request has been blocked;
the content must be served over HTTPS.
Add a content security policy does not help:
<meta http-equiv="Content-Security-Policy" content="connect-src http://foo.com 'self';">
Since the ts files are fetched via XMLHttpRequest they're considered active mixed content and modern browsers will block access by default.
The CSP's connect-src option further restricts the origins you can connect to and it won't allow you to bypass the mixed-content check.
I'm afraid the only way is to serve everything over either HTTPS or HTTP.
I am using tarruda datetimepicker for my project, it works all good until I move to https. Tarruda datetimepicker link is http. I get warning
Mixed Content: The page at 'https://mywebsite.com' was loaded over HTTPS, but requested an insecure stylesheet 'http://tarruda.github.io/bootstrap-datetimepicker/assets/css/bootstrap-datetimepicker.min.css'. This request has been blocked; the content must be served over HTTPS.
What can I do to fix this?
Host the file locally or change the link to use https -- https://tarruda.github.io/bootstrap-datetimepicker/assets/css/bootstrap-datetimepicker.min.css. I'd prefer hosting the file locally over the link as it is not a CDN and the owner can choose to discontinue the Github page, essentially killing your link.
I did extension to chrome.
When I browse to web site under https, My links still under http and I recieve:
'The site uses SSL, but Google Chrome has detected either high-risk insecure content on the page or problems with the site’s certificate'
I saw in other extension when I browse to web site under https, the links under http and they recieve:
'The site uses SSL, but Google Chrome has detected insecure content on the page.'
How can my extension recive 'insecure content' instead 'high-risk insecure content'?
This error occurs when the website content is only partially encrypted. Some of the sources for the page are coming from http sources. So basically if a website uses https all sources for https web pages must be https thus defeating the point of having the security. This is why web browsers at the very least show warnings or block the content
The web-site has ssl certificate.
Any http page is redirected to the same, but https page (if not https) by .htaccess.
Everything works fine, but 404.shtml gets a security warning "This webpage contains content that will not be delivered using a secure HTTPS connection..." in IE. The same behavior is in any other browser.
How to exclude that error?
404.shtml web-page was created using web-hosting control panel wizard. The file 404.shtml was created automatically.
Most likely the automatically generated file includes links, images or other resources fetched via http. If you can change them to https links, you should avoid the problem. There's afaik no other way to make the browser not warn about this, at least in a cross browser way.
I have an ASP web site that give a warning to visitors with red x (in chrome) and FireFox not verified when they try to login. see the picture
Please advise what it means and what I should do
thanks
When a page is loaded via an HTTPS URL, the browser security model states that all resources referenced by that page should also be HTTPS URLs. Check your page for references to JavaScript, CSS, JPGs, etc. All of them should be using HTTPS when the main page is loaded by HTTPS.
If you have JavaScript that is dynamically loading content with XHR, you need to make sure the URLs you load match the scheme (HTTP or HTTPS) of the main page. This is particularly important for JavaScript that is intended to be reused on multiple HTML pages, some which are loaded via HTTP and some with are loaded via HTTPS.