Asked  6 Months ago    Answers:  5   Viewed   43 times

This morning, upon upgrading my Firefox browser to the latest version (from 22 to 23), some of the key aspects of my back office (website) stopped working.

Looking at the Firebug log, the following errors were being reported:

Blocked loading mixed active content "http://code.jquery.com/ui/1.8.10/themes/smoothness/jquery-ui.css"
Blocked loading mixed active content "http://ajax.aspnetcdn.com/ajax/jquery.ui/1.8.10/jquery-ui.min.js"`

among other errors caused by the latter of the two above not being loaded.

What does the above mean and how do I resolve it?

 Answers

83

I found this blog post which cleared up a few things. To quote the most relevant bit:

Mixed Active Content is now blocked by default in Firefox 23!

What is Mixed Content?
When a user visits a page served over HTTP, their connection is open for eavesdropping and man-in-the-middle (MITM) attacks. When a user visits a page served over HTTPS, their connection with the web server is authenticated and encrypted with SSL and hence safeguarded from eavesdroppers and MITM attacks.

However, if an HTTPS page includes HTTP content, the HTTP portion can be read or modified by attackers, even though the main page is served over HTTPS. When an HTTPS page has HTTP content, we call that content “mixed”. The webpage that the user is visiting is only partially encrypted, since some of the content is retrieved unencrypted over HTTP. The Mixed Content Blocker blocks certain HTTP requests on HTTPS pages.

The resolution, in my case, was to simply ensure the jquery includes were as follows (note the removal of the protocol):

<link rel="stylesheet" href="//code.jquery.com/ui/1.8.10/themes/smoothness/jquery-ui.css" type="text/css">
<script type="text/javascript" src="//ajax.aspnetcdn.com/ajax/jquery.ui/1.8.10/jquery-ui.min.js"></script>

Note that the temporary 'fix' is to click on the 'shield' icon in the top-left corner of the address bar and select 'Disable Protection on This Page', although this is not recommended for obvious reasons.

UPDATE: This link from the Firefox (Mozilla) support pages is also useful in explaining what constitutes mixed content and, as given in the above paragraph, does actually provide details of how to display the page regardless:

Most websites will continue to work normally without any action on your part.

If you need to allow the mixed content to be displayed, you can do that easily:

Click the shield icon Mixed Content Shield in the address bar and choose Disable Protection on This Page from the dropdown menu.

The icon in the address bar will change to an orange warning triangle Warning Identity Icon to remind you that insecure content is being displayed.

To revert the previous action (re-block mixed content), just reload the page.

Tuesday, June 1, 2021
 
inieto
answered 6 Months ago
41

http://127.0.100.2/img.jpg isn’t considered mixed content because the Mixed Content spec defines it as a special case of an a priori authenticated URL, due to it being in the range 127.0.0.0 - 127.255.255.255 (that is, a host with the CIDR notation 127.0.0.0/8), which per the Secure Contexts spec is defined as a secure context — even if the protocol isn’t https.

The same goes for http://localhost/img.jpg or http://foo.localhost/img.jpg

Thursday, August 5, 2021
 
danjah
answered 4 Months ago
42

did you moved your code to another place?

because sqlite store the database into a file, when you call connect, if a file with the name 'mydatabase' exist, it will be loaded, otherwise. a new fresh database file will be created automatically.

search for your old file with name 'mydatabase' and put it within your code.

Friday, August 13, 2021
 
CMOS
answered 4 Months ago
52

I think that you can try with relative protocol caller.

<link rel="stylesheet" href="//www.example.com/style.css">
                    ---------^^

if your users visit your web in http, it loads http, and if the user visit under https it loads https.

Friday, August 13, 2021
 
tsmbl
answered 4 Months ago
61

I found a good answer here.

The second option, protocol relative links seems to be the best option.

UPDATED ANSWER

To give a more complete answer, protocol relative URLs help to avoid Mixed Content errors by requesting the resource from whatever protocol the browser is viewing that current page through. This is really useful when your site has pages that use both http & https, as in my case checkout page was being loaded over https while the rest our site uses http.

Example

So if we use a protocol relative url to link to a resource.

<link href='//fonts.googleapis.com/css?family=PT+Sans' rel='stylesheet' type='text/css'>

When we're on https://www.magento.com/onestepcheckout/index/ the resource will be loaded via https, https://fonts.googleapis.com/css?family=Lato.

And if we're on http://www.magento.com/ the resource will be loaded via http http://fonts.googleapis.com/css?family=Lato

This will avoid any Mixed Content Errors.

Caveats

There are a few things to consider when using this approach though.

  1. IE6 does not know how to hanler protocol relative urls. IE6 has less than 1.7% of the browser market.
  2. IE7 & IE8 support protocol relative URLs but they’ll end up fetching the resource twice. Once from HTTP and once over HTTPS, which will slow things down. Again, these older browsers account for very little of the browser market.
  3. Does not work in all email clients (e.g Outlook), so avoid using protocol relative urls in HTML emails
  4. You have to be sure that the server you’re requesting from is capable of serving content over both HTTP and HTTPS. If not you might end up fetching content from an unsecured or nonexistent server port.

Further Reading

https://developer.mozilla.org/en-US/docs/Security/MixedContent/How_to_fix_website_with_mixed_content http://www.paulirish.com/2010/the-protocol-relative-url/ http://billpatrianakos.me/blog/2013/04/18/protocol-relative-urls/

Saturday, August 14, 2021
 
PedroKTFC
answered 4 Months ago
Only authorized users can answer the question. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :  
Share