HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

When ssl is on, users get errors

When "force ssl" is set to "on", users get errors about some of the page content being secure and some not. When you leave the store, ssl is left on for the entire site generating more content secure/insecure errors.

Comments

  • AnonymooseAnonymoose ✭✭
    edited January 2015

    Some elements of all vanilla pages such as jquery and css image sprites are loaded from remote servers through insecure methods. A secure implementation would load all page elements through secure connections, and not in a mixed way.

  • How could I do a secure implementation? Would I search through the plugin files for references of http and change them to https?

  • vrijvlindervrijvlinder Papillon-Sauvage MVP
    edited January 2015

    As long as you own an ssl cerificate. Yes, If this embedded when the problem happens ? if so you need to alter the js for embed to represent https instead of http in the urls inside the code.

    This seems to work for most people.

    If it is not embedded and the problems happens then it could be the htaccess file or the webroot setting in the config.php not directing to the page encrypted properly.

  • edited January 2015

    No, Vanilla is not embedded.
    Here is the .htaccess file:

    # Original
    # If you modify this file then change the above line to: # Modified
    <IfModule mod_rewrite.c>
       RewriteEngine On
       # Certain hosts may require the following line.
       # If vanilla is in a subfolder then you need to specify it after the /. 
       # (ex. You put Vanilla in /forum so change the next line to: RewriteBase /forum)
       # RewriteBase /
       RewriteCond %{REQUEST_FILENAME} !-d
       RewriteCond %{REQUEST_FILENAME} !-f
       RewriteRule ^(.*)$ index.php\?p=$1 [QSA,L]
    </IfModule>
    

    There is no web root parameter in the config.php file

  • vrijvlindervrijvlinder Papillon-Sauvage MVP
    edited January 2015

    #RewriteBase /

    It should be RewriteBase / without the hash which is a disabling symbol.
    Or forum/ if that is the webroot of the forum...

  • @vrijvlinder there isn't anything wrong with his implementation.

    You can't avoid mixed ontent errors on a forums.

    Think about anybody can post anything. You only need one http img to get a mixed content error.

    Sometimes you just have to accept are going to be mixed content errors. Some browsers are worse than others.

    grep is your friend.

  • Btw not every external content has an equivalent https address, it may not even exist or it might be a totally different url, you can't control this.

    grep is your friend.

  • The biggest issue with you mixed content is your theme

    Blocked loading mixed active content "http://themes.googleusercontent.com/static/fonts/bitter/v3/2PcBT6-VmYhQCus-O11S5-vvDin1pK8aKteLpeZ5c0A.woff"
    

    you should change that to https://so your fonts render

    grep is your friend.

Sign In or Register to comment.