Mixed content issue of chrome facing on WebSphere portal content - websphere-portal

We are working with websphere portal and curently dealing with chrome mixed content issue,
Mixed Content: The site at 'https://tgcs551.commerce.toshiba.com/' was loaded over a secure connection, but the file at 'http://tgcs04.toshibacommerce.com/cs/groups/internet/documents/document/bl82/mtqw/~edisp/tcxtu_win_614014x.zip?_ga=2.95374741.800005762.1609132621-1301842396.1608820702' was redirected through an insecure connection. This file should be served over HTTPS. This download has been blocked. See https://blog.chromium.org/2020/02/protecting-users-from-insecure.html for more details.
we tried below meta data in our static theme also.
but we had not get any success.
Then we tried to right Content-Security-Policy in our httpd.conf file of http server of our websphere portal.
Header always set Content-Security-Policy "upgrade-insecure-requests;"
Header set Content-Security-Policy "default-src https://tgcs04.toshibacommerce.com; child-src 'none'; object-src 'none'"
Header set Content-Security-Policy "default-src 'none'; img-src 'self'; script-src 'self' http://tgcs04.toshibacommerce.com; style-src 'self'"
But not get any success, and finally we realised by checking logs the request of http://tgcs04.toshibacommerce.com is not going to the http server.
we already have SSL certified website also.
We can't move to https .
so anyone can help us in this solution.

Mixed Content: The site at 'https://tgcs551.commerce.toshiba.com/' was loaded over a secure connection, but...
Just curious how do you loads https://tgcs551.commerce.toshiba.com via https: with invalid cert:
If you are unable to change http://tgcs04.toshibacommerce.com/cs/... to the https: in the HTML code, the Header always set Content-Security-Policy "upgrade-insecure-requests;" should help. But I do not see any Content-Security-Policy in the responce header:
Of course, CSP header should be publushed on the download page(I do not know it Url). but none of https://tgcs04.toshibacommerce.com/cs/, http://tgcs04.toshibacommerce.com/cs/groups/internet/, etc do not have CSP header.
Also weird thing: http://tgcs04.toshibacommerce.com/ redirects to httpS://tgcs04.toshibacommerce.com/, http://tgcs04.toshibacommerce.com/cs/groups/ redirects to https: too. But http://tgcs04.toshibacommerce.com/cs/groups/internet/... already does not have redirect.
Also all the Urls above redirects to login page, but direct download http://tgcs04.toshibacommerce.com/cs/groups/internet/documents/document/bl82/mtqw/~edisp/tcxtu_win_614014x.zip is possible without auth. Was is intended so?
Fix the SSL certs (may be it's better to generate wildcard cert *.toshibacommerce.com) and make to be published CSP header.

Related

HttpRequest blocked mixed content

BASE_URL = "http://********:8091/api/v1";
I have uploaded my react-js application on netlify.com. in react js I implemented APIs.... when I hit APIs after deploying I got this error on console:
Mixed Content: The page at 'https://xyz.netlify.app/' was loaded over
HTTPS, but requested an insecure XMLHttpRequest endpoint
'http://***:8091/api/v1/categories/'. This request has been
blocked; the content must be served over HTTPS.
what is the solution to this
Unfortunately, There's no way to disable mixed content
Just Add the Below meta tag to your HTML file
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">

NextJS CSP header destroying PDFtron iframe content

I recently added CSP header to my project.
At the same time, I am also using PDFTron webviewer in my project.
As you know, PDFTron webviewer is rendered in an iframe and after adding CSP headers, I'm getting below error - related frame-ancestors.
Question1 is how can I add a frame-ancestors header to the PDFtron webviewer to bypass this error?
Question2 is the second error related with cross domain is not fixable by adding my domains to configorigin.txt, is it related with the csp header setting?
To Question1: Just change frame-ancestors 'none' to the frame-ancestors 'self' (or to frame-ancestors localhost:* if in your particular browser the 'self' token does not cover a localhost:port_number) to allow embedding PDF webviewer.
To Question2: I think the second error is CSP-related (side effect of CSP blocking) because localhost should not be a cross-origin resource since main page is loaded with the same host name and port number http://localhost:3000.

Content Security Policy does not respect meta tag

I get the following error in the Chrome's web console on my deployed React app:
Refused to frame 'https://www.youtube.com/' because it violates the following Content Security Policy directive: "default-src 'self'". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback.
However, I have specified frame-src in my index.html like in the following snippet:
<meta http-equiv="Content-Security-Policy" content="frame-src https://www.youtube.com/">
The source for the error is a YouTube embed, and with the meta tag in place the embed works fine on localhost. What could cause this error only to appear on a deployed React app?
Fixed it by adding Content-Security-Policy header on the server. So it wasn't an issue with the front-end code after all.

request has been blocked; the content must be served over HTTPS

I'm doing application with spring security and Spring MVC in back end and Angular in front end.
My problem is that I do the logged in correctly, but the problem in logged out I implemented correctly in my localhost: http://localhost:8080 worked without problem. When I change it to https:// I get this error:
Mixed Content: The page at '' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint ''. This request has been blocked; the content must be served over HTTPS.
I want to know how to correct that? And how to know which url blocked by https in the browser for example chrome?
This post which gives a solution to your problem: http://www.learningthegoodstuff.com/2015/08/mixed-http-error-with-spring-security.html
All the details are explained there, basically all you have to do is add this two lines to my application.properties file:
server.tomcat.remote_ip_header=x-forwarded-for
server.tomcat.protocol_header=x-forwarded-proto
I fixed by removing a forward slash from the end of a URL fixing everything.this is help me : GET request throws error after app implemented SSL: Mixed Content: This request has been blocked; the content must be served over HTTPS"
This happens when the server is using http (non secured). You can fix it by enforcing https for all resources in the backend. Check here for more details.
In #Jabir Minjibir's answer there is very good link to describe the error. As sum up, when your application works with httpS scheme you can't make visits to unsecure links which is http.
I got this error and fixed it like I wrote below:
Mixed Content: The page at 'https://stackblitz.com/' was loaded over HTTPS, but
requested an insecure XMLHttpRequest endpoint 'http://172.19.0.62:920/'.
This request has been blocked; the content must be served over HTTPS.
You can mask unsecure links with simple-https-proxy npm package. In my experience I was coding an angular sample on httpS://stackblitz.com and I was trying to connect to an Elasticsearch server which doesn't have a domain name. I needed to make it working with ssl but I couldn't modify it's scheme. Thus I installed a proxy which can work secure (httpS).
I installed the npm package:
npm i -g simple-https-proxy#latest
Then I created certificate:
simple-https-proxy --makeCerts=true
Then I ran it
simple-https-proxy --target=http://172.19.0.62:9200 --port=9201 --rewriteBodyUrls=false
In another example:

Firebase hosting - Can not load Bootstrap

Im using Bootstrap and AngularFire for my Web project. Everything ok but when I host it on Firebase.com. The layout has changed
Errors:
Mixed Content: The page at 'https://......firebaseapp.com/' was loaded over HTTPS, but requested an insecure stylesheet 'http://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css'. This request has been blocked; the content must be served over HTTPS.
Mixed Content: The page at 'https://......firebaseapp.com/' was loaded over HTTPS, but requested an insecure script 'http://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js'. This request has been blocked; the content must be served over HTTPS.
What happens with Bootstrap? Thanks in advance!
Firebase uses HTTPS to serve content. As you can see from the error, you are referring the content to be loaded over HTTP. Though this should not be happening, but it could be one of recent features of Chrome where they block, non-secure requests over a secure channel.
In order to solve it, you should change the URLs in your code to point at HTTPS versions of Bootstrap CDN.
https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css
https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js
Further Read: https://support.google.com/chrome/answer/1342714?hl=en
I was having the same issue:
you just need to make the http to https
in the bootstrap link inside the code.
That will resolve the issue.

Resources