Why Firefox 33 shows "is not fully secured" on the first load? - apache

I am trying to setup my HTTPs website with Apache 2.2 and Firefox 33.
On the first load Firefox shows that warning.
But on the next page load (i.e. F5, another tab, etc until firefox restarts) everything on this URL is secure.
The page is just plain HTML, no javascripts, no images. I put robots.txt and favicon.ico into the /var/www/site/htdocs/ (I thought firefox loads them from http:// instead of https://). But this did not helped.
So, why firefox shows this warning on the first view after launch and don't does that later?
(I tried to ask this question on server fault, but don't have enough reputation to upload pictures)
UPD: Tools -> Web Development -> WebConsole says
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://mc.yandex.ru/webvisor/26570853?rn=493111185&page-url=http%3A%2F%2Fstart.calculate-linux.ru%2F&wmode=0&wv-type=0&wv-hit=372504783&wv-part=1&wv-check=34794&browser-info=z%3A240%3Ai%3A20141022210348%3Arqnl%3A1%3Ast%3A1413997437. This can be fixed by moving the resource to the same domain or enabling CORS. 26570853
Everything becomes ok, when I set about:blank as homepage.
But the question remains - how (in this scenario) scripts from previous page can affect next page?

Related

Vue favicon doesn't change in ios chrome & safari browser

I alredy change the favicon.ico to the logo file which I want to use In Vue-cli's public folder, and named it the same file name.
In web browser the Favicon and title be changed successful
but in the mobile browser neither safari or chrome are fail
I didn't use pwa so probably not have manifest.json problem
And I already tried to clean both browser's cache or open it on Incognito Windows, but still the same, is anything I neglect to do with my index.html or vue-cli config?
You can add <link rel="apple-touch-icon" href="/custom_icon.png"> so that your favicon is shown when you favorite the page or view it in that tabs view. This is mentioned here.
For the webpage itself its very likely your iPhone is still caching the old icon regardless of your attempts to clear said cache. In my experience trying to load the page with no network connection, waiting for the time out error and then connecting to the network and reloading the page is the best way to "force" the device to clear its cache. Alternatively with the dev tools open and a keyboard attached type command + option + r. If not, patience, it'll update... eventually.

Selenium - Firefox webdriver adds HTTPS in request's redirection uri instead of HTTP [duplicate]

I'm using Firefox, and while setting up a server, I have been fiddling around with redirects. Now, Firefox has cached a 301 redirect from http://example.com/ to https://example.com/ and from http://sub.example.com/ to https://sub.example.com/.
I've tried the following things:
History -> Show all history -> Forget about this site.
Checked that no bookmark with https://example.com/ is present.
Changing browser.urlbar.autoFill to false in about:config.
Changing browser.cache.check_doc_frequency from 3 to 1.
Options -> Advanced -> Network -> Chached Web Content -> Clear now.
None of the above works, so I checked the redirect with wheregoes.com and it doesn't show any redirect from http to https.
I've even changed the DNS to point to another IP served by a server, where I've never set up redirection - the redirection is still in effect.
I've also tried in Private Browsing in Firefox, and there is no redirect there. I've tried in Google Chrome, and there is also no redirect here.
I've also tried to make a redirect from https to http which worked in Google Chrome, and yielded a redirection error in Firefox.
My version of Firefox is 38.0.1, and I'm using Windows 8.1. I use the following addons: AddBlock, Avast! and LastPass. Avast! may not be the issue, as I've disabled it while testing.
What I can do about it?
"Sites preferences" are the culprit. Wasted 45min of my life finding how to fix it despite all the kb/support.mozilla tricks which does not solve your issue nor did mine. I don't know what triggers this issue, but several of my websites started to go pear-shaped in a few weeks only affecting me and only firefox.
That's the solution you are all looking for:
Go to Preferences
Privacy
Click 'Clear your history' (nothing will happen yet, click safely)
Once the pop-up appears, click Details.
Untick everything except 'Sites Preferences'
Select 'Everything' in the select box at the top
Click Ok
Try now
PS: What I did try that did not worked for me are:
urlbar.autofill false
Forget Website trick
Safe mode
We all know it is not an HSTS issue when a website you own and you accessed before never got https support but now FF wants you to use https... It is just a firefox bug IMO.
The solution that worked for me:
Go to about:config
Look for network.stricttransportsecurity.preloadlist and set it to false
Enjoy
If the above STILL DOES NOT WORK, try setting browser.fixup.fallback-to-https to false from about:config
Using Firefox 100 or above you may also need:
dom.security.https_first to false
dom.security.https_first_pbm to false (this one is for anonymous windows)
I had the same problem but the answer was that I used a .dev extension to access my local websites !
I cleared all historic data in FF and nothing changed.
Searching for another solution, I found this page https://ma.ttias.be/chrome-force-dev-domains-https-via-preloaded-hsts/
With .dev being an official gTLD, we're most likely better of changing our preferred local development suffix from .dev to something else. If you're looking for a quick "search and replace" alternative for existing setups, consider the .test gTLD, which is a reserved name by IETF for testing (or development) purposes.
I changed my local website extensions from .dev to .test and all work perfectly !
Alternative solution, easy.
Open Firefox and in the address bar type this URL
http://example.com/?fake_parameter_to_bypass_cache
This should force the browser to reload the web page from http://
None of the answers worked for me, the only the one was the one in the comment of Muhammad so thanks in advance to him, I copy the answer here to make it easier:
Go to about:config
Look for browser.fixup.fallback-to-https and set it to false
Check your extensions!
In my case, DuckDuckGo Privacy Essentials extension was causing this redirect. I disabled it, and the problem is solved.
Now (Firefox 84) it is much simpler to clear the site's data. Just click the padlock icon on the left of the address bar. Then choose "Clear cookies and site data".
I had the same situation as what OP did. It helped me to clear the HTTPS redirect.
Here's what worked for me on Firefox v98.0.2:
Settings -> General
Network Settings -> Settings
Uncheck "Enable DNS over HTTPS
I tried the 'correct' answer, plus the comment about including cache in the deletion, and I was still having issues with my problem site.
I opened the firefox profile directory and searched for the website name in all files.
I found it in 'logins-backup.json' and deleted that file to finally fix the problem.
In my case, I decided to use a *.dev domain for local development. But then I tried to open the site in Firefox, and after a while I realized it uses HTTPS, even when I start the url with "http://..." I tried to right-click on the link in the History, and choose Forget About This Site, or clear the cache. But it didn't help.
Later I found out that the dev domain is in HSTS preload list these days. Which means Firefox and Chrome (and probably others) don't let you access the subdomains w/o HTTPS. More on it here and here.
In my case, it was an addon that did it: disabling DuckDuckGo privacy essentials fixed it.
I had this issue when running Firefox with OWASP ZAP proxy.
I didn't knew it was the proxy causing this.
In hindsight it's easy to test this: run Firefox without OWASP ZAP proxy to see if it works.
To get it working with OWASP ZAP, turn off Heads Up Display (HUD) or enable the HUD only for URL's that are in scope.
My problem was caused by the HTTPS by default extension. There is a bug that opens HTTP bookmarks with HTTPS. To work around, open "HTTPS by default" Preferences pane and enter domain name exclusion.
None of these suggestions worked for me in Firefox v101. What worked for me is changing the value of security.tls.version.min from 3 to 1 in about:config.
[NOTE: After I changed this setting, Firefox initially redirected from http to https. But this time Firefox allowed me to "accept the risk and continue," which wasn't possible when security.tls.version.min was set to 3. --end note]
See also: https://support.mozilla.org/en-US/questions/1116550
Lets get back to the old firefox that was amazing, the 3.6.
Nowadays is full of crap for us developers, and sysadmins.
I have tons of sites in intranet that cannot have a valid ssl, this is a major deal. I cannot download "deb" files because its a threat, i cannot this and cannot that... why? I am a power user i know what to do whit, why should I (we) be treated like the rest of the users?
The cache, i cannot disable the cache to 100% why?
In a blip of a second i will be using links as my browser.
Firefox should have a expert mode, where none of this crap happens.
I am mad with firefox and chrome. That is why i still use firefox 3.6 in a lot of cases, to bypass stupid restrictions.
Now, I had this issue on my workstation's development site. I had an old site that I still wanted to reference, and I couldn't get http to work for anything. There was not https binding, either.
Finally, I realized I had a url-rewrite in my webconfig that redirected all http to https...
hahahaha
Disabling https, is not an absolute in Firefox. Some sites will redirect and may not offer http.
However to choose one url over the other if it is an option you can disable autofil:
Address Bar Search In order to change your Firefox Configuration please do the following steps :
In the Location bar, type about:config and press Enter. The about:config "This might void your warranty!" warning page may appear.
Click I'll be careful, I promise! to continue to the about:config page.
In the filter box, type or paste autofill and pause while the list is filtered
Double-click browser.urlbar.autoFill to toggle it from true to false.

Safari doesn't load all resources of the webpage

I have a very weird problem with Safari opening my web app.
The setup: I am running an Vuejs application stored in a S3 Bucket on AWS. The app is exposed by an API Gateway.
The Problem: When opening the app only index.html and the favicon are loaded but not the other assets. Sometimes they occur inside the Network tab in dev tools with the message "Failed to load resource" but sometimes not.
"Solution": When I open the app with http (which doesn't work) and then with https again, the resources can be loaded somehow and the app will work fine even when reloading with cache clearing.
Does anyone know how to overcome this problem? 🤷‍♂️
I have a similar problem (not related to vue.js and amazon, but just to Subject: Safari selectively loads resources):
Mac OS Safari 14 (desktop version, I don't know for a mobile one) doesn't load all referred css, js, and image files.
Safari 13 performed well. Other browsers (Chrome, Firefox) perform well. All files are referred the same way, using relative URLs.
When using Safari 14, some of them are loaded, some are not. Caching is not an issue (I use "empty caches" before loading a page).
It looks like successfully loaded files are randomly chosen (the same file is sometimes loaded, sometimes it isn't).
In the Network tab of Develop menu, for not loaded files Preview says: "An error occurred trying to load the resource",
and in Headers, section "Request", there are only: Accept, Referer, and User-Agent lines, while:
GET, Cookie, Accept-Encoding, Host, Accept-Language, and Connection lines are missing.
Response says: "No response headers".
In the server's access log, there are no lines related to not loaded files.
EDIT:
The cause: TLS 1.0
The solution: TLS 1.2

Testing ssl HTTPS application locally with Coldfusion

I would like to test https related application on my local machine before pushing it to staging and production.
If I try to test on local system, the page just showing (in chrome it gets to the "This webpage has a redirect loop" page).
If any information could be provided that would assist me in setting this up / getting it working and testing, I would be extremely grateful . Thanks
This problem can have two angles whether this could be related to your specific browser or with your ColdFusion application:
First and foremost can you check it on Firefox or IE just to isolate if this is specific to Chrome. (As I have seen this to come on Chrome more than often)
if it works on Other Browsers:
probably Chrome is at fault. Go to settings (Options -> Under the Hood -> Content Settings -> Cookies -> Show cookies and other site data)
Enter your problem URL in search bar and it would list all related cookies.
Select "Remove all"
if it FAILS on other browsers as well:
Can you check with perhaps another test application?
Please check with following article by Ben Nadal --
http://www.bennadel.com/blog/1666-Ask-Ben-Enforcing-An-SSL-HTTPS-Connection-Based-On-Request.htm
If this persists, please add some more information, on how this has been set up.
Cheers,
Anjaneai
If I understand your questions you should be able to use a self signed certificate on your local dev box. Once you set this up you should be able to test your site in SSL mode.
Here is one quick tutorial.
http://weblogs.asp.net/scottgu/archive/2007/04/06/tip-trick-enabling-ssl-on-iis7-using-self-signed-certificates.aspx

Find out what resources are not going over HTTPS

I have an ASP.NET site which should transport completely over HTTPS. However, in Google Chrome I get a warning that the page includes resources which are not secure. How can I find out which those resources are and why they wouldn't be going over HTTPS?
I've just had this problem in Chrome also. I checked in the Network tab but all resources were loaded over https.
Solution: close Chrome and re-open.
Chrome must cache its secure-content detection so that even when you fix the problems the insecure content message won't disappear.
Usually this occurs because you are loading Images, javascript include files or external CSS files without using https. You can use a program such as FireBug: http://getfirebug.com/
FireBug will tell you how your elements are loading and which aren't going through the ssl layer. If you don't have firefox, then I am pretty sure Chrome also has something similar to FireBug built in.
Here's how to use firebug:
Open firebug
Click on the Console Tab
Reload the page
Any https errors will show in the console and tell you which resource is not working.
Hope this helps
I have nothing to do with the people providing this online script, but it's easy and can be bookmarked in any browser.. works well and quickly to solve the problem.. http://www.whynopadlock.com
In Google Chrome: You can view the offending resource in the Console tab of the Inspect Element window.
It will be listed as:
The page at https://example.com/page displayed insecure content from http://example.com/resource
Of course you might have to reload the page with the Inspect Element window already open.
One of the easiest ways to do it is to right-click the page in Firefox and select View Page Info. Then go to the Media tab and find anything that is loading from http instead of https.
We've scratched our own itch and wrote a tool that crawls your web-site and tells you what pages have non-SSL resources on them. You just need to enter the root URL of your web site – no need to check every page manually.
http://www.jitbit.com/sslcheck/
I noticed that when I had this problem that a toolbar(uTorrent) was causing the error. I removed the toolbar and the error went away. Not sure why a toolbar would cause an error on my site, but no more problems here with the SSL certificate.
To add to this I right-clicked on the column headings in the Network tab view and selected Protocol.
If you then click on the Protocol heading, the contents of the report will be grouped by HTTPS, etc
In Chrome, you can find out which resources were loaded via http versus https by doing the following:
1) In Wrench menu, choose Tools > Developer tools
2) Click on "Resources" toolbar icon
3) Expand the Frames folder to see the different pages. Expand the page whose resources you want to see. The individual Resources for the page are then listed, broken down by Images, Scripts, and Stylesheets
4) To see the URL that was used to load that resource, just hover the mouse over the resource name and the URL will appear, either with http or https. You can also click on an image name to see the image on the right side, along with its URL
Chrome has their own developer tool.
you can right click a page, inspect it.. and then click the "network" tab and reload the page. you'll see the workflow.
I dont know if any one will be checking this answer
Or you might have found the solution already, but anyway, my answer might help other people suffering from similar issue
http://www.whynopadlock.com/
This is the link that I used to check the insecure content /file which was being loaded to my page.
Hope it helps. :)
I just discovered same behaviour in chrome (firefox showed a green lock), even though all resources were loaded via https.
The reason in my case was that the server supported broken (google poodle) SSLv3.
Setting ssl_protocols to exclude SSLv2 in nginx.conf like so
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
fixed the problem for me.
I consider it unfortunate that chrome doesn't make this reason more transparent. "this page loads some resources insecurely" is very misleading if not wrong.
If you want to crawl your own site from your own desktop for a list of all reasources loaded (not loaded by javascript though, which is worth bearing in mind), if using windows you can use Xenu's link sleuth. Export the TSV file and then right click and open with excel, then sort by URL, you can then find those pesky http resources for all pages on the site!