I installed my SSL certificate yesterday. However I get the SSL warning (triangle) icon. The excuse for that is that "the page includes other resources which are not secure".
I am not sure what that means but my assumption is that it has something to do with some text inputs which are not secure.
Any information or resources to make me understand more and figure out how to secure everything will be helpful. I don't like the warning there (especially on the signup page) and need to figure out what's the issue. Thanks.
You need to make sure not to embed any resources via http:// - use only https://.
If you embed external resources which are available via both HTTP and HTTPS, you can use protocol-relative URLs such as //domain.tld/whatever - they'll be loaded over the protocol that's currently used.
Related
URL in question: https://newyorkliquorgiftshop.com/admin/
When you open the above page, you can see in the console that there are lots of error messages saying "...was loaded over HTTPS, but requested an insecure stylesheet.."
This website was working well until all of a sudden this problem shows up. I am not very familiar with https, but I have contacted with Godaddy and the SSL certificate is valid, and there is no obvious problem with "https://newyorkliquorgiftshop.com". And I am stuck here, I've some experiences with HTTPS website before, if the URL of website's homepage is "https", then every resources it loads is via "https" too. I don't know why my website behave differently and I don't know where to start to solve the problem? Any hint is appreciated especially articles about HTTPS that is related to my problem.(I have done a brief research regarding HTTPS but most of the articles I found are about the basic concepts.)
If you have access to the code (not sure what you built the website using), try using https instead of http for the URL's you use to load your style sheets and script files.
For example one of the errors is
Mixed Content: The page at 'https://newyorkliquorgiftshop.com/admin/' was loaded over HTTPS, but requested an insecure script 'http://www.newyorkliquorgiftshop.com/admin/view/javascript/common.js'. This request has been blocked; the content must be served over HTTPS.
You are requesting the .js file using HTTP, try using HTTPS like so:
https://www.newyorkliquorgiftshop.com/admin/view/javascript/common.js
after upgrading to Safari 9 I'm getting this error in the browser:
[Warning] [blocked] The page at https://localhost:8443/login was not allowed to run insecure content from http://localhost:8080/assets/static/script.js.
Anyone knows how to enable the running of insecure content on the new Safari?
According to the Apple support forums Safari does not allow you to disable the block on mixed content.
Though this is frustrating for usability in legitimate cases like yours, it seems to be part of their effort to force secure content serving / content serving best practices.
As a solution for you you can either upgrade the HTTP connection to HTTPS (which it seems you have done) or proxy your content through an HTTPS connection with an HTTPS-enabled service (or, in your case, port).
You can fix the HTTPS problem by using HTTPS locally with a self signed SSL certificate. Heroku has a great how-to article about generating one.
After setting up SSL on all of your development servers, you will still get an error loading the resource in Safari since an untrusted certificate is being used(self signed SSL certificates are not trusted by browsers by default because they cannot be verified with a trusted authority). To fix this, you can load the problematic URL in a new tab in Safari and the browser will prompt you to allow access. If you click "Show Certificate" in the prompt, there will be a checkbox in the certificate details view to "Always allow content from localhost". Checking this before allowing access will store the setting in Safari for the future. After allowing access just reload the page originally exhibiting a problem and you should be good to go.
This is a valid use case as a developer but please make sure you fully understand the security implications and risks you are adding to your system by making this change!
If like me you have
frontend on port1
backend on port2b
want to load script http://localhost:port1/app.js from http://localhost:port2/backendPage
I have found an easy workaround: simply redirect with http response all http://localhost:port2/localFrontend/*path to http://localhost:port1/*path from your backend server configuration.
Then you could load your script directly from http://localhost:port2/localFrontend/app.js instead of direct frontend url. (or you could configure a base url for all your resources)
This way, Safari will be able to load content from another domain/port without needing any https setup.
For me disabling the Website tracking i.e. uncheck the Prevent cross-site tracking worked.
I just installed an SSL Certificate on my domain. and then I noticed that Social buttons (Facebook, Google+, Twitter etc) are no more there.
When I uninstalled the SLL, those buttons were there.
Anybody knows how to fix this issue?
most likely your code for the buttons refers to a non-SSL (http:// instead of https://) URL and most browsers nowadays reject content that is not "secure".
To elaborate on cfrick's answer, which sounds spot on:
It isn't that they reject the content that isn't secure, it is that they reject mixed content. So you can't show secure and non-secure stuff on the same page.
The solution is that for any fully qualified URLs with a protocol prefix (http or https), simply leave that off and modern browsers will use the same protocol as the page was loaded with. So instead of including content with http://example.com/stuff.js you can use //example.com/stuff.js.
I have a site which in ssl but i am not able to secure the page fully. https://econengine.com/_other_sites/fb/mtbusiness/directory.php
I have changed all resource links to https:// (facebook, twitter js)
All images loading from same domain using relative url.
I can't find out what makes it unsecure. I know I am missing something. Spent hours to find out but i can't. Can you see what is the problem? I don't have too much experience with ssl but i do know that if anything load form non secure url it will broke. But i can't seem to find what it is.
It looks like you missed something thats coming from Facebook - a FB canvas?
Picture from Firefox
I don't think you can just 'change all the HTTPs to HTTPS either - do they have to actually be secure too!?
There is nothing obvious to me, however, as this is a duplicate question ;-) see the answers here How do I figure out which parts of a web page are encrypted and which aren't?
I have a problem with my site after implementation of SSL that images do not appear. The scenario is that images come from images.domain.com (hosted on Amazon S3) and my certificate is for www.domain.com.
This problem only seems to happen in IE and not in any other browsers.
The issue is related to "mixed content" - HTTPS pages which have HTTP resources (images, scripts, etc) embedded.
The point of using HTTPS is to ensure that only the originating server and the client have access to the secured page. However, in theory it might be possible for this security to be compromised if HTTP resources are embedded - a server might intercept an unsecured javascript file and inject some code to alter the secured page onload.
Most browsers will indicate that a secure page has mixed content by altering the "secure lock" icon, either by showing the lock as open or broken, or by making the icon red (Chrome displayed a skull and crossbones for a short time, but they realised that this was a bit serious for the potential threat level).
Internet Explorer (depending on the version) will display a message either asking whether the insecure content should be shown (IE<=7), or whether only the secure content should be shown (IE>=8). It sounds like you have somehow disabled this message to always hide the insecure content, however that's not the default behaviour.
I think the best solution for you is to replace your S3 links with HTTPS versions.
I am not a web developer, but someone who often deals with the crap experience that is IE. I am not sure what version you are using, but you do not have a wildcard SSL cert (i.e. *.domain.com), so does it have something to do with an old-school limitation in 3rd party images?
See here for what I allude to above and a very good explanation of how IE caches cross-domain HTTPS content, specifically images. I am not sure what the solution is, but I was curious so I researched a little myself and this might help.