I am getting the following issue when I converted HTTP to https in Drupal
Site was loaded with HTTPS but requested an insecure stylesheet
'http://fonts.googleapis.com/css?family=Open+Sans:regular&subset=cyrillic-ext'.
This request has been blocked; the content must be served over HTTPS
Thanks in advance
Thanks Everyone, I added
$_SERVER['HTTPS'] = 'on'
in settings.php file and http converted to https
Related
BASE_URL = "http://********:8091/api/v1";
I have uploaded my react-js application on netlify.com. in react js I implemented APIs.... when I hit APIs after deploying I got this error on console:
Mixed Content: The page at 'https://xyz.netlify.app/' was loaded over
HTTPS, but requested an insecure XMLHttpRequest endpoint
'http://***:8091/api/v1/categories/'. This request has been
blocked; the content must be served over HTTPS.
what is the solution to this
Unfortunately, There's no way to disable mixed content
Just Add the Below meta tag to your HTML file
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
We are working with websphere portal and curently dealing with chrome mixed content issue,
Mixed Content: The site at 'https://tgcs551.commerce.toshiba.com/' was loaded over a secure connection, but the file at 'http://tgcs04.toshibacommerce.com/cs/groups/internet/documents/document/bl82/mtqw/~edisp/tcxtu_win_614014x.zip?_ga=2.95374741.800005762.1609132621-1301842396.1608820702' was redirected through an insecure connection. This file should be served over HTTPS. This download has been blocked. See https://blog.chromium.org/2020/02/protecting-users-from-insecure.html for more details.
we tried below meta data in our static theme also.
but we had not get any success.
Then we tried to right Content-Security-Policy in our httpd.conf file of http server of our websphere portal.
Header always set Content-Security-Policy "upgrade-insecure-requests;"
Header set Content-Security-Policy "default-src https://tgcs04.toshibacommerce.com; child-src 'none'; object-src 'none'"
Header set Content-Security-Policy "default-src 'none'; img-src 'self'; script-src 'self' http://tgcs04.toshibacommerce.com; style-src 'self'"
But not get any success, and finally we realised by checking logs the request of http://tgcs04.toshibacommerce.com is not going to the http server.
we already have SSL certified website also.
We can't move to https .
so anyone can help us in this solution.
Mixed Content: The site at 'https://tgcs551.commerce.toshiba.com/' was loaded over a secure connection, but...
Just curious how do you loads https://tgcs551.commerce.toshiba.com via https: with invalid cert:
If you are unable to change http://tgcs04.toshibacommerce.com/cs/... to the https: in the HTML code, the Header always set Content-Security-Policy "upgrade-insecure-requests;" should help. But I do not see any Content-Security-Policy in the responce header:
Of course, CSP header should be publushed on the download page(I do not know it Url). but none of https://tgcs04.toshibacommerce.com/cs/, http://tgcs04.toshibacommerce.com/cs/groups/internet/, etc do not have CSP header.
Also weird thing: http://tgcs04.toshibacommerce.com/ redirects to httpS://tgcs04.toshibacommerce.com/, http://tgcs04.toshibacommerce.com/cs/groups/ redirects to https: too. But http://tgcs04.toshibacommerce.com/cs/groups/internet/... already does not have redirect.
Also all the Urls above redirects to login page, but direct download http://tgcs04.toshibacommerce.com/cs/groups/internet/documents/document/bl82/mtqw/~edisp/tcxtu_win_614014x.zip is possible without auth. Was is intended so?
Fix the SSL certs (may be it's better to generate wildcard cert *.toshibacommerce.com) and make to be published CSP header.
I'm doing application with spring security and Spring MVC in back end and Angular in front end.
My problem is that I do the logged in correctly, but the problem in logged out I implemented correctly in my localhost: http://localhost:8080 worked without problem. When I change it to https:// I get this error:
Mixed Content: The page at '' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint ''. This request has been blocked; the content must be served over HTTPS.
I want to know how to correct that? And how to know which url blocked by https in the browser for example chrome?
This post which gives a solution to your problem: http://www.learningthegoodstuff.com/2015/08/mixed-http-error-with-spring-security.html
All the details are explained there, basically all you have to do is add this two lines to my application.properties file:
server.tomcat.remote_ip_header=x-forwarded-for
server.tomcat.protocol_header=x-forwarded-proto
I fixed by removing a forward slash from the end of a URL fixing everything.this is help me : GET request throws error after app implemented SSL: Mixed Content: This request has been blocked; the content must be served over HTTPS"
This happens when the server is using http (non secured). You can fix it by enforcing https for all resources in the backend. Check here for more details.
In #Jabir Minjibir's answer there is very good link to describe the error. As sum up, when your application works with httpS scheme you can't make visits to unsecure links which is http.
I got this error and fixed it like I wrote below:
Mixed Content: The page at 'https://stackblitz.com/' was loaded over HTTPS, but
requested an insecure XMLHttpRequest endpoint 'http://172.19.0.62:920/'.
This request has been blocked; the content must be served over HTTPS.
You can mask unsecure links with simple-https-proxy npm package. In my experience I was coding an angular sample on httpS://stackblitz.com and I was trying to connect to an Elasticsearch server which doesn't have a domain name. I needed to make it working with ssl but I couldn't modify it's scheme. Thus I installed a proxy which can work secure (httpS).
I installed the npm package:
npm i -g simple-https-proxy#latest
Then I created certificate:
simple-https-proxy --makeCerts=true
Then I ran it
simple-https-proxy --target=http://172.19.0.62:9200 --port=9201 --rewriteBodyUrls=false
In another example:
Im using Bootstrap and AngularFire for my Web project. Everything ok but when I host it on Firebase.com. The layout has changed
Errors:
Mixed Content: The page at 'https://......firebaseapp.com/' was loaded over HTTPS, but requested an insecure stylesheet 'http://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css'. This request has been blocked; the content must be served over HTTPS.
Mixed Content: The page at 'https://......firebaseapp.com/' was loaded over HTTPS, but requested an insecure script 'http://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js'. This request has been blocked; the content must be served over HTTPS.
What happens with Bootstrap? Thanks in advance!
Firebase uses HTTPS to serve content. As you can see from the error, you are referring the content to be loaded over HTTP. Though this should not be happening, but it could be one of recent features of Chrome where they block, non-secure requests over a secure channel.
In order to solve it, you should change the URLs in your code to point at HTTPS versions of Bootstrap CDN.
https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css
https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js
Further Read: https://support.google.com/chrome/answer/1342714?hl=en
I was having the same issue:
you just need to make the http to https
in the bootstrap link inside the code.
That will resolve the issue.
Mixed Content: The page at 'https://www.example.com/dashboard' was
loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint
'http://api.example.com/inventory/10/'. This request has been blocked;
the content must be served over HTTPS.
We have this Angular web app that runs with Flask on the back-end.
Everything was working fine until we implemented SSL. Afterwards, we keep getting this strange error everywhere.
Now, the $http.get request in my dashboard.js is definitely calling "https://api.example.com/inventory/10" in the code below and yet the error is claiming that we are trying to request "http" instead.
$http.get($rootScope.baseUrl+'/inventory/' + item.id)
where rootScope.baseUrl is "https://api.example.com".
It's really weird because some GET requests ARE going through from our web application to our back-end, but some requests are throwing this weird error.
Here's the header that gets an error in our Network tab of the console in chrome.
Request URL:https://api.example.com/inventory/10 Request Headers
Provisional headers are shown Accept:application/json, text/plain, /
Origin:https://www.example.com
Referer:https://www.example.com/dashboard
It was a weird case that came down to removing a forward slash from the end of a URL fixing everything. Somehow, whenever we made a GET request using $http in Angular like baseurl + inventory.id + "/", it would make a http request but as soon as remove that slash, it would make the https request correctly.
Still so confused
I think the root of the problem is in server redirects. I was able to resolve same issue with SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https') setting for Django (its running behind AWS balancer). Here is documentation.