Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#2235 closed bug (fixed)

HTTPS mixed content warnings after login

Reported by: crumbking Owned by:
Priority: major Milestone: 2.6
Component: ServerSetup Keywords: https
Cc:

Description

I get some warnings in chrome after login on /main page.

see also: http://stackoverflow.com/questions/4728507/finding-all-insecure-content-on-a-secure-page

The page at 'https://www.bewelcome.org/' was loaded over HTTPS, but displayed insecure content from 'http://www.bewelcome.org/styles/css/minimal/images/iconsfam/comment_add.png': this content should also be loaded over HTTPS.

www.bewelcome.org/:863

The page at 'https://www.bewelcome.org/' was loaded over HTTPS, but displayed insecure content from 'http://www.bewelcome.org/styles/css/minimal/images/iconsfam/bullet_go.png': this content should also be loaded over HTTPS.

www.bewelcome.org/:867

The page at 'https://www.bewelcome.org/' was loaded over HTTPS, but displayed insecure content from 'http://www.bewelcome.org/styles/css/minimal/images/iconsfam/comment_add.png': this content should also be loaded over HTTPS.

www.bewelcome.org/:870

The page at 'https://www.bewelcome.org/' was loaded over HTTPS, but displayed insecure content from 'http://www.bewelcome.org/styles/css/minimal/images/iconsfam/bullet_go.png': this content should also be loaded over HTTPS.

www.bewelcome.org/:874

The page at 'https://www.bewelcome.org/' was loaded over HTTPS, but displayed insecure content from 'http://www.bewelcome.org/images/icons/icon_searchtop.gif': this content should also be loaded over HTTPS.

www.bewelcome.org/:1

The page at 'https://www.bewelcome.org/' was loaded over HTTPS, but displayed insecure content from 'http://www.bewelcome.org/images/misc/donationbar_bg_small.png': this content should also be loaded over HTTPS.

www.bewelcome.org/:1

Failed to load resource: net::ERR_BLOCKED_BY_CLIENT https://www.bewelcome.org/piwik/piwik.js

Change History (19)

comment:1 Changed 4 years ago by arved

Me too with Firefox so it does not seem to be browser specific

Blocked loading mixed active content "http://www.bewelcome.org/styles/css/minimal/minimal.css?1" Blocked loading mixed active content "http://www.bewelcome.org/styles/css/minimal/screen/basemod_minimal_col3.css" Blocked loading mixed active content "http://www.bewelcome.org/script/main.js?8" Blocked loading mixed active content "http://www.bewelcome.org/script/common.js?1" Blocked loading mixed active content "http://www.bewelcome.org/styles/css/minimal/minimal.css?1" Blocked loading mixed active content "http://www.bewelcome.org/styles/css/minimal/screen/basemod_minimal_col3.css" Blocked loading mixed active content "http://www.bewelcome.org/script/main.js?8" Blocked loading mixed active content "http://www.bewelcome.org/script/common.js?1" Loading mixed (insecure) display content on a secure page "http://www.bewelcome.org/images/logo_index_top.png" Loading mixed (insecure) display content on a secure page "http://www.bewelcome.org/images/icons/icon_searchtop.gif" Loading mixed (insecure) display content on a secure page "http://www.bewelcome.org/styles/css/minimal/images/icon_grey_mail.png" Loading mixed (insecure) display content on a secure page "http://www.bewelcome.org/styles/css/minimal/images/icon_grey_logout.png" Loading mixed (insecure) display content on a secure page "http://www.bewelcome.org/members/avatar/arved?30_30" Loading mixed (insecure) display content on a secure page "http://www.bewelcome.org/images/icons/box-close.png" Loading mixed (insecure) display content on a secure page "http://www.bewelcome.org/members/avatar/claudiaab?30_30" TypeError?: Element.addMethods is not a funct

comment:2 Changed 4 years ago by leoalone

solution is easy:
EXCEPT when you redirect http to https on login, all the pages have to be referenced without the protocol and host part, that is for example not

"​http://www.bewelcome.org/members/avatar/claudiaab?30_30"

but rather

"​/members/avatar/claudiaab?30_30"

This would make the error disappear.

I have to point to another problem, related to this one: Is possible that occasionally a bropwser could not be happy with the certificate (for eample i know a public point of access that do not recognize some certificate, and there is no way to log on that servers); for someone traveling it could be an annoying situation:
I propose to add also a "insecure.bewelcome.org" without tls for these cases (never linked, only referenced in tyhe welcome message on subscription); not referencing hostname and protocol would make it transparent, since the httpdoc tree would be the same for https://www and for http://insecure

comment:3 Changed 4 years ago by Tsjoek

Except for the external services I don't have any problems with non-ssl references. The stylesheets and scripts are already using relative url's:

        <link rel="stylesheet" href="styles/css/minimal/minimal.css?1" type="text/css" />
            <link rel="stylesheet" href="styles/css/minimal/screen/basemod_minimal_col3.css" type="text/css" />
                <!--[if lte IE 8]>
                    <link rel="stylesheet" href="styles/css/minimal/patches/patch_3col.css" type="text/css" />
        <![endif]-->
            
        <script type="text/javascript" src="script/main.js?8"></script>
            <script type="text/javascript" src="script/common.js?1"></script>

Did you check if it's a caching issue?

comment:4 Changed 4 years ago by crumbking

I tried it on work/home with chrome and FF. In both browsers I clear history/cache after shutdown. Strange part is that I get this only after the first time login. After a logout and re-login everything is fine.

Before shevek introduced https everywhere we forced the login over https to switch back to http. Maybe thats the issue?

Last edited 4 years ago by crumbking (previous) (diff)

comment:5 Changed 4 years ago by Tsjoek

After some more testing:
When having an empty cache, it is still possible to load http://www.bewelcome.org, that's also the default if you don't specify the protocol. While logging in there is a move to https but the linked media are not reloaded and therefore still accessed through http.
If you start from an empty cache by calling https://www.bewelcome.org, there is no problem.

Is that also what you see?

So a possible solution would be to redirect all requests that come in through http to https before anything is loaded.

comment:6 follow-up: Changed 4 years ago by crumbking

yepp I guess that's the issue. So we should do a redirect on server side?

comment:7 in reply to: ↑ 6 Changed 4 years ago by shevek

@all: Please check if you get this again (I deactivated the HSTS policy for www.bewelcome.org).

comment:8 Changed 4 years ago by crumbking

No warnings anymore but if I start with www.bewelcome.org I surf without https all the time.

Last edited 4 years ago by crumbking (previous) (diff)

comment:9 Changed 4 years ago by shevek

HSTS forced the browser to use https all the time as the login was done using https. That wasn't intended and caused some problems with the old admin interface, so I turned it off.

If you want to surf using https: you have to switch yourself.

comment:10 Changed 4 years ago by shevek

  • Status changed from new to assigned
Last edited 4 years ago by shevek (previous) (diff)

comment:11 Changed 4 years ago by shevek

  • Status changed from assigned to to_alpha

comment:12 Changed 4 years ago by shevek

  • Status changed from to_alpha to alpha

comment:13 Changed 4 years ago by shevek

  • Milestone changed from unassigned to 2.6

comment:14 Changed 4 years ago by shevek

  • Status changed from alpha to testing

comment:15 Changed 4 years ago by Tsjoek

On beta I can surf with both http and https without seeing mixed content warnings, also switching between the two works ok. When using http it switches to https on login and switches back after it. So beta looks fine to me.

On alpha however I can only use https. Every request with http is still directed towards https. Is that intentional?

comment:16 Changed 4 years ago by shevek

@tsjoek: alpha only serves in https. I wanted to test what happens if that is configured.

comment:17 Changed 4 years ago by crumbking

Seems to work for me, too without warnings.

I would support the idea to forward to https by default. But maybe we get problems with our maps:

Like https://beta.bewelcome.org/searchmembers

The page at 'https://beta.bewelcome.org/searchmembers' was loaded over HTTPS, but displayed insecure content from 'http://otile2.mqcdn.com/tiles/1.0.0/map//1/1/0.jpg': this content should also be loaded over HTTPS.

searchmembers:1

The page at 'https://beta.bewelcome.org/searchmembers' was loaded over HTTPS, but displayed insecure content from 'http://otile2.mqcdn.com/tiles/1.0.0/map//1/1/1.jpg': this content should also be loaded over HTTPS.

searchmembers:1

2The page at 'https://beta.bewelcome.org/searchmembers' was loaded over HTTPS, but displayed insecure content from 'http://otile2.mqcdn.com/tiles/1.0.0/map//1/0/0.jpg': this content should also be loaded over HTTPS.

searchmembers:1

2The page at 'https://beta.bewelcome.org/searchmembers' was loaded over HTTPS, but displayed insecure content from 'http://otile2.mqcdn.com/tiles/1.0.0/map//1/0/1.jpg': this content should also be loaded over HTTPS.

searchmembers:1

The page at 'https://beta.bewelcome.org/searchmembers' was loaded over HTTPS, but displayed insecure content from 'http://otile2.mqcdn.com/tiles/1.0.0/map//1/1/0.jpg': this content should also be loaded over HTTPS.

searchmembers:1

The page at 'https://beta.bewelcome.org/searchmembers' was loaded over HTTPS, but displayed insecure content from 'http://otile2.mqcdn.com/tiles/1.0.0/map//1/1/1.jpg': this content should also be loaded over HTTPS.

searchmembers:1

2The page at 'https://beta.bewelcome.org/searchmembers' was loaded over HTTPS, but displayed insecure content from 'http://otile2.mqcdn.com/tiles/1.0.0/map//1/0/0.jpg': this content should also be loaded over HTTPS.

searchmembers:1

2The page at 'https://beta.bewelcome.org/searchmembers' was loaded over HTTPS, but displayed insecure content from 'http://otile2.mqcdn.com/tiles/1.0.0/map//1/0/1.jpg': this content should also be loaded over HTTPS.

comment:18 Changed 4 years ago by crumbking

  • Resolution set to fixed
  • Status changed from testing to closed

Anyway I would suggest to close this ticket and open a new one to replace all external (insecure) content with https resources. Shevek's forum g search replacement is a big step forward into this direction.

comment:19 Changed 4 years ago by shevek

The configuration files for alpha, beta and www where updated so that the tiles are always served through a https connection. So closing this ticket is fine and there is no need to write a new one (except if we find a page which still shows mixed content warnings, of course).

Note: See TracTickets for help on using tickets.