Mediawiki can't load CSS if SSL is enabled - ssl

There is an http:// hardcoded somewhere in mediawiki codebase, causing these errors. Can't find out, what.
Index:13 Mixed Content: The page at 'https://xy/Index' was loaded over HTTPS, but requested an insecure stylesheet 'http://xy/load.php?debug=false&lang=hu&modules=mediawiki.legacy.co…face%7Cmediawiki.ui.button%7Cskins.vector.styles&only=styles&skin=vector&*'. This request has been blocked; the content must be served over HTTPS.
Index:1 Mixed Content: The page at 'https://xy/Index' was loaded over HTTPS, but requested an insecure script 'http://xy/load.php?debug=false&lang=hu&modules=startup&only=scripts&skin=vector&*'. This request has been blocked; the content must be served over HTTPS.

In your mediawiki folder, there's a file named LocalSettings.php
You need to edit that file and change $wgServer value from http:// to https://

Related

A problem with kendodatepicker over https

I use kendodatepicker in my asp mvc project for input persian date.But when publish my website over https . Https not allow to load kendo cdn.This is my console log :
Mixed Content: The page at 'https://gormast.ir/Admin/Discount/Create' was loaded over HTTPS, but requested an insecure stylesheet 'http://cdn.kendostatic.com/2013.2.918/styles/kendo.default.min.css'. This request has been blocked; the content must be served over HTTPS.
Mixed Content: The page at 'https://gormast.ir/Admin/Discount/Create' was loaded over HTTPS, but requested an insecure stylesheet 'http://cdn.kendostatic.com/2013.2.918/styles/kendo.common.min.css'. This request has been blocked; the content must be served over HTTPS.
Mixed Content: The page at 'https://gormast.ir/Admin/Discount/Create' was loaded over HTTPS, but requested an insecure script 'http://code.jquery.com/jquery-1.9.1.min.js'. This request has been blocked; the content must be served over HTTPS.
Mixed Content: The page at 'https://gormast.ir/Admin/Discount/Create' was loaded over HTTPS, but requested an insecure stylesheet 'http://cdn.kendostatic.com/2013.2.918/styles/kendo.default.min.css'. This request has been blocked; the content must be served over HTTPS.
Mixed Content: The page at 'https://gormast.ir/Admin/Discount/Create' was loaded over HTTPS, but requested an insecure stylesheet 'http://cdn.kendostatic.com/2013.2.918/styles/kendo.common.min.css'. This request has been blocked; the content must be served over HTTPS.

HTTPS security is compromised by http: *.abc.com

I have problem while redirecting the http:// url from https:// pages.
http pages are the url formed internally in java code. when redirection happens from https to formed http url pages are not loading properly and showing loading symbols.
In browser console error showing as "HTTPS security is compromised by http:www.aabc.com"
when i forcibly try to replace http to https redirection says target page uses older tls version

Mixed content error when using github pages with custom domain

I'm hosting my git-hub pages website (peps09791.github.io) using a custom domain (https://thebotspeaks.com) with Cloudflare.
To enable HTTPS, I have done the following configurations:
In my _config.yaml file
I have set the URL key accordingly
url: "https://peps0791.github.io"
From my cloudFlare dashboard, I have enabled option of HTTPS rewrites to prevent mixed content error.
I have also enabled Flexible SSL from CloudFlare.
I haven't enabled default HTTPS-redirection because the website breaks over HTTPS. On HTTP, it works fine.
Right now, when I try to access my website using HTTPS, I get mixed content error:
Mixed Content: The page at 'https://thebotspeaks.com/' was loaded over HTTPS, but requested an insecure image 'http://thebotspeaks.com/assets/images/bio-photo.jpg'. This content should also be served over HTTPS.
09:54:45.323 (index):1 Mixed Content: The page at 'https://thebotspeaks.com/' was loaded over HTTPS, but requested an insecure stylesheet 'http://thebotspeaks.com/assets/css/main.css'. This request has been blocked; the content must be served over HTTPS.
09:54:45.785 (index):1 Mixed Content: The page at 'https://thebotspeaks.com/' was loaded over HTTPS, but requested an insecure script 'http://thebotspeaks.com/assets/js/main.min.js'. This request has been blocked; the content must be served over HTTPS.
From console, I can see this:
<script src="https://peps0791.github.io/assets/js/main.min.js"></script>
<link rel="stylesheet" href="https://peps0791.github.io/assets/css/main.css">
How do I resolve this issue?
The problem here is that your assets (i.e. your CSS or JavaScript) are redirecting to the HTTP version of your site. This is because your assets are referencing directly to your GitHub site instead of the Cloudflare-enabled domain.
For example; your HTML references your CSS files at https://peps0791.github.io/assets/css/main.css instead of https://thebotspeaks.com/assets/css/main.css
In order to fix this it looks like you'll need to update your _config.yaml file to have the following URL key:
url: "https://thebotspeaks.com"
More general advice on fixing a variety of Mixed Content issues can be found in the following article on the Cloudflare Knowledge Base: How do I fix the SSL Mixed Content Error Message?
Adding this helped me to deal with the Mixed Content error on GitHub pages on a custom domain secured with enabled HTTPS:
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
Apparently for me. The website inside CNAME file in Github repo did NOT had https prefix. So I added https://. and it worked.
Cheers
P.S: Fixed this problem after 1 year, can you believe.

SSL certificate and "www" vs non "www"

I'm being asked to redirect a website to https once an SSL certificate is installed. It's a wordpress site and this should be very easy, you simply go to settings and change the http to https, and/or install a plugin to manage everything for you and change all of the "http" in your files for "https".
The certifiate came with problems that the host fixed gradually (it wouldn't pass any test on qualys SSL Labs). However for some reason they sent me an e-mail stating that the certificate is made for the "www version of the site". this site didn't have "www" in it's address.
The non "www" version now redirects to the "www" version but I just cannot get a green padlock. Oddly enough, I did get one refreshing the page a few times and when I did it was all messed up. If I check the page source some stylesheet links for example look for the https:// no www version of the page and this is probably the problem right?
Should I just change manually all of the links in the page or ask the host not to create a certificate for a www version of this website when it didn't have that in the first place?
/* EDIT */
I get this in the console before an error for every single url in the page for images and stylesheets, etc.
Redirecting navigation because the server presented a certificate valid for www... but not for "non www version" To disable such redirects launch Chrome with the following flag: ...

SSL for relative paths?

I noticed when accessing a site using HTTPS I get errors in the JS console when trying to include CSS or JS files from a relative path such as this:
<link rel="stylesheet" type="text/css" href="css/demo.css?id=14" />
Mixed Content: The page at 'https://mysiste.com/' was loaded over HTTPS, but requested an insecure stylesheet 'http://mysiste.com/css/demo.css?id=14'. This request has been blocked; the content must be served over HTTPS.
What's the ideal solution for this scenarios?
Should I just force all the HTTP accesses to be redirected to HTTPS?
Or is there a way to tell the server to serve all relative paths using HTTPS?
Relative links will use the protocol and host from the base URL. The base URL is usually the one which can be seen in the URL bar. But it is possible to change the base URL explicitly using the base tag.
This means if you have a base URL with http as protocol set in your page it will still use http instead of https even though you've accessed the site with https and the reference is relative, i.e. like this:
<base href="http://example.com/">
To fix it either remove the base tag or change it to use https instead of http:
<base href="https://example.com">