SSL Behavior Question

By +Kyle
in Site & Forum Issues

 Share

Recommended Posts

Mentor

+Kyle Subscriber¹

Posted
  • Subscriber¹
Posted

I know SSL has been a weird conversation around here lately, but I just have a question. 

 

~When I open the forums while in HTTPS the main page opens up in HTTPS, but as soon as I click a link HTTPS goes away. I noticed that all the links are static set to HTTP instead of HTTPS so you lose your secure connection.

~I also noticed that there are multiple insecure items that are in the Neowin domain. I pulled this from my console:

The page at 'https://www.neowin.net/forum/' was loaded over HTTPS, but displayed insecure content from 'http://pbs.twimg.com/profile_images/438528168790884353/Msy3TfWv_normal.jpeg?_r=1414423744': this content should also be loaded over HTTPS.
 www.neowin.net/:1
The page at 'https://www.neowin.net/forum/' was loaded over HTTPS, but displayed insecure content from 'http://pbs.twimg.com/profile_images/378800000775397837/d8a85880d11e0b3db61d824728ef42d9_normal.jpeg?_r=1414423744': this content should also be loaded over HTTPS.
 www.neowin.net/:1
The page at 'https://www.neowin.net/forum/' was loaded over HTTPS, but displayed insecure content from 'http://pbs.twimg.com/profile_images/438528168790884353/Msy3TfWv_normal.jpeg?_r=1414423744': this content should also be loaded over HTTPS.
 www.neowin.net/:1
The page at 'https://www.neowin.net/forum/' was loaded over HTTPS, but displayed insecure content from 'http://pbs.twimg.com/profile_images/378800000775397837/d8a85880d11e0b3db61d824728ef42d9_normal.jpeg?_r=1414423744': this content should also be loaded over HTTPS.
 www.neowin.net/:1
The page at 'https://www.neowin.net/forum/' was loaded over HTTPS, but displayed insecure content from 'http://pbs.twimg.com/profile_images/438528168790884353/Msy3TfWv_normal.jpeg?_r=1414423744': this content should also be loaded over HTTPS.
 www.neowin.net/:1
The page at 'https://www.neowin.net/forum/' was loaded over HTTPS, but displayed insecure content from 'http://pbs.twimg.com/profile_images/378800000775397837/d8a85880d11e0b3db61d824728ef42d9_normal.jpeg?_r=1414423744': this content should also be loaded over HTTPS.
 www.neowin.net/:1
The page at 'https://www.neowin.net/forum/' was loaded over HTTPS, but is submitting data to an insecure location at 'https://www.neowin.net/forum/index.php?app=members&module=profile&section=status&do=new&k=3bbf525bd318cedf737ba0dd3e8da0f3&id=155839': this content should also be submitted over HTTPS.
 www.neowin.net/:1347
The page at 'https://www.neowin.net/forum/' was loaded over HTTPS, but is submitting data to an insecure location at 'https://www.neowin.net/forum/index.php?app=core&module=search&do=search&fromMainBar=1': this content should also be submitted over HTTPS.
 www.neowin.net/:1483
The page at 'https://www.neowin.net/forum/' was loaded over HTTPS, but displayed insecure content from 'http://pbs.twimg.com/profile_images/438528168790884353/Msy3TfWv_normal.jpeg?_r=1414423744': this content should also be loaded over HTTPS.
 www.neowin.net/:3342
The page at 'https://www.neowin.net/forum/' was loaded over HTTPS, but is submitting data to an insecure location at 'https://www.neowin.net/forum/index.php?app=members&module=profile&section=status&do=reply&status_id=94711&k=3bbf525bd318cedf737ba0dd3e8da0f3&id=155839': this content should also be submitted over HTTPS.
 www.neowin.net/:3376
The page at 'https://www.neowin.net/forum/' was loaded over HTTPS, but displayed insecure content from 'http://pbs.twimg.com/profile_images/378800000775397837/d8a85880d11e0b3db61d824728ef42d9_normal.jpeg?_r=1414423744': this content should also be loaded over HTTPS.
 www.neowin.net/:3400
The page at 'https://www.neowin.net/forum/' was loaded over HTTPS, but is submitting data to an insecure location at 'https://www.neowin.net/forum/index.php?app=members&module=profile&section=status&do=reply&status_id=94709&k=3bbf525bd318cedf737ba0dd3e8da0f3&id=155839': this content should also be submitted over HTTPS.
 www.neowin.net/:3434
The page at 'https://www.neowin.net/forum/' was loaded over HTTPS, but is submitting data to an insecure location at 'https://www.neowin.net/forum/index.php?app=members&module=profile&section=status&do=reply&status_id=94707&k=3bbf525bd318cedf737ba0dd3e8da0f3&id=155839': this content should also be submitted over HTTPS.
 www.neowin.net/:3492
The page at 'https://www.neowin.net/forum/' was loaded over HTTPS, but is submitting data to an insecure location at 'https://www.neowin.net/forum/index.php?app=members&module=profile&section=status&do=reply&status_id=94703&k=3bbf525bd318cedf737ba0dd3e8da0f3&id=155839': this content should also be submitted over HTTPS.
 www.neowin.net/:3550
The page at 'https://www.neowin.net/forum/' was loaded over HTTPS, but is submitting data to an insecure location at 'https://www.neowin.net/forum/index.php?app=members&module=profile&section=status&do=reply&status_id=94701&k=3bbf525bd318cedf737ba0dd3e8da0f3&id=155839': this content should also be submitted over HTTPS.
 www.neowin.net/:3608

All of the above resources are HTTPS capable, including the pbs.twimg.com. 

 

So my question is whether there is some setting or something that I missed to enable this feature correctly or if this is something to be expected. For now I can use HTTPS Everywhere on Chrome and add Neowin to it.

 

Thanks for all the work and thanks for enabling SSL to begin with! :)

Link to comment
Share on other sites
Grand Master

farmeunit

Posted
Posted

Not an expert, but for outside links, you can't assume that they will support SSL, so leaving those as HTTP is probably best.  Just because that one does, doesn't mean others will.

 

As for the others, hopefully someone can explain that.

Link to comment
Share on other sites
Grand Master

+Zlip792 MVC

Posted
  • MVC
Posted

Mixed Content Warning from browser level it is. When HTTPS webpage contain non-HTTPS stuff, browser trigger mixed content warning.

 

This particular domain is from Twitter Image Hosting for profile images, as you know forum shows twitter status (other warnings are due to status) on sidebar, this contain twitter images from non-secure page, so this error happens.

 

Firefox Developer Tools Console, do reveal this issue and also mention workaround for it.

 

ZuvAvqR.png

 

Adding this meta tag will fix this warning, although as above someone mentioned, rewriting plugin to use HTTPS will be permanent and better fix though.

<meta name="twitter:widgets:csp" content="on">

Taken from here: https://dev.twitter.com/web/overview/widgets-webpage-properties

Link to comment
Share on other sites
Mentor

+Kyle Subscriber¹

Posted
  • Author
  • Subscriber¹
Posted

Mixed Content Warning from browser level it is. When HTTPS webpage contain non-HTTPS stuff, browser trigger mixed content warning.

 

This particular domain is from Twitter Image Hosting for profile images, as you know forum shows twitter status (other warnings are due to status) on sidebar, this contain twitter images from non-secure page, so this error happens.

 

Firefox Developer Tools Console, do reveal this issue and also mention workaround for it.

 

ZuvAvqR.png

 

Adding this meta tag will fix this warning, although as OP mentioned, rewriting plugin to use HTTPS will be permanent and better fix though.

<meta name="twitter:widgets:csp" content="on">

Taken from here: https://dev.twitter.com/web/overview/widgets-webpage-properties

will that produce an error when loading the forums without ssl?

Link to comment
Share on other sites
Grand Master

+Zlip792 MVC

Posted
  • MVC
Posted

will that produce an error when loading the forums without ssl?

 

Nope. It will not.

 

Actually Twitter is also using "Content Security Policy", which this meta tag will disable for particular site.

Link to comment
Share on other sites
This topic is now closed to further replies.
 Share
Go to topic listing