Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

SSL mixed content issue - but only with Chrome


Roaddoctor

Recommended Posts

On both my 2.2rc2a and 2.4 shops (same server) SSL on Chrome is broken. Appears to be mixed content issue but it does not make sense. IE and FF are good, no problems. Any insight appreciated

 

My two shops are here and here

 

I’m trying to learn Fiddler, but haven’t a clue how to use properly yet.

 

If there is mixed content, which I do not believe there is, why only Chrome? and if there is mixed content, I need help resolving.

 

-dazed and confused

 

Thank you

Dave

-Dave

Link to comment
Share on other sites

@@Roaddoctor put the URL that causes problems in this: https://www.whynopadlock.com/ its a good tool for sniffing out non-secure links on pages

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Link to comment
Share on other sites

@@Roaddoctor on one of the above links on the create account page you have a call that is not valid according to the above tool:

 

 

smarticon.geotrust.com is an invalid URL/domain

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Link to comment
Share on other sites

@@Mort-lemur

Heather - yes I went there yesterday and saw the same, but it has to be a false report somehow.... it's the common https geotrust badge... and the same code is on the other site but does not flag. yesterday I tested by removing that code, but the error persisted. So no sure what to think about that.

 

Using Chrome, If you go to, for example, the login.php page, CTRL-SHIFT-J, I see the insecure errors. There are 4 on one of the sites and 2 on the other that I guess are the problem.

 

I received trusted advice elsewhere to replace the offending http links in the forms with the tep_href_link() function.  For each link in question changing it to this:

tep_href_link(FILENAME_WHATEVER, '', $request_type)

 

Thanks for any other thoughts, advice, or insights.

 

Rant: stupid chrome :)

 

-Dave

Link to comment
Share on other sites

If it will help anyone else, in short, if you get the mixed content issue, using Chrome, press CTRL-SHIFT-J, reload the page and the problem code will be highlighted.

Pretty much involves just changing

'NONSSL'

to

$request_type

I had one error that required a bit more - here is a new version of bm_manufacturers.php. Full credit to mattjt83 for the help - your awesome thank you.

<?php
/*
  $Id$

  osCommerce, Open Source E-Commerce Solutions
  http://www.oscommerce.com

  Copyright (c) 2013 osCommerce

  Released under the GNU General Public License
*/

  class bm_manufacturers {
    var $code = 'bm_manufacturers';
    var $group = 'boxes';
    var $title;
    var $description;
    var $sort_order;
    var $enabled = false;
    var $pages;

    function bm_manufacturers() {
      $this->title = MODULE_BOXES_MANUFACTURERS_TITLE;
      $this->description = MODULE_BOXES_MANUFACTURERS_DESCRIPTION;

      if ( defined('MODULE_BOXES_MANUFACTURERS_STATUS') ) {
        $this->sort_order = MODULE_BOXES_MANUFACTURERS_SORT_ORDER;
        $this->enabled = (MODULE_BOXES_MANUFACTURERS_STATUS == 'True');
        $this->pages = MODULE_BOXES_MANUFACTURERS_DISPLAY_PAGES;
        $this->group = ((MODULE_BOXES_MANUFACTURERS_CONTENT_PLACEMENT == 'Left Column') ? 'boxes_column_left' : 'boxes_column_right');
      }
    }

    function getData() {
      global $HTTP_GET_VARS, $request_type, $oscTemplate;

      $data = '';

      $manufacturers_query = tep_db_query("select manufacturers_id, manufacturers_name from " . TABLE_MANUFACTURERS . " order by manufacturers_name");
      if ($number_of_rows = tep_db_num_rows($manufacturers_query)) {
        if ($number_of_rows <= MAX_DISPLAY_MANUFACTURERS_IN_A_LIST) {
// Display a list
          $manufacturers_list = '<ul style="list-style: none; margin: 0; padding: 0;">';
          while ($manufacturers = tep_db_fetch_array($manufacturers_query)) {
            $manufacturers_name = ((strlen($manufacturers['manufacturers_name']) > MAX_DISPLAY_MANUFACTURER_NAME_LEN) ? substr($manufacturers['manufacturers_name'], 0, MAX_DISPLAY_MANUFACTURER_NAME_LEN) . '..' : $manufacturers['manufacturers_name']);
            if (isset($HTTP_GET_VARS['manufacturers_id']) && ($HTTP_GET_VARS['manufacturers_id'] == $manufacturers['manufacturers_id'])) $manufacturers_name = '<strong>' . $manufacturers_name .'</strong>';
            $manufacturers_list .= '<li><a href="' . tep_href_link(FILENAME_DEFAULT, 'manufacturers_id=' . $manufacturers['manufacturers_id'], $request_type) . '">' . $manufacturers_name . '</a></li>';
          }

          $manufacturers_list .= '</ul>';

          $content = $manufacturers_list;
        } else {
// Display a drop-down
          $manufacturers_array = array();
          if (MAX_MANUFACTURERS_LIST < 2) {
            $manufacturers_array[] = array('id' => '', 'text' => PULL_DOWN_DEFAULT);
          }

          while ($manufacturers = tep_db_fetch_array($manufacturers_query)) {
            $manufacturers_name = ((strlen($manufacturers['manufacturers_name']) > MAX_DISPLAY_MANUFACTURER_NAME_LEN) ? substr($manufacturers['manufacturers_name'], 0, MAX_DISPLAY_MANUFACTURER_NAME_LEN) . '..' : $manufacturers['manufacturers_name']);
            $manufacturers_array[] = array('id' => $manufacturers['manufacturers_id'],
                                           'text' => $manufacturers_name);
          }

          $content = tep_draw_form('manufacturers', tep_href_link(FILENAME_DEFAULT, '', $request_type, false), 'get') .
                     tep_draw_pull_down_menu('manufacturers_id', $manufacturers_array, (isset($HTTP_GET_VARS['manufacturers_id']) ? $HTTP_GET_VARS['manufacturers_id'] : ''), 'onchange="this.form.submit();" size="' . MAX_MANUFACTURERS_LIST . '" style="width: 100%"') . tep_hide_session_id() .
                     '</form>';
        }

        $data = '<div class="ui-widget infoBoxContainer">' .
                  '  <div class="ui-widget-header ui-corner-top infoBoxHeading">' . MODULE_BOXES_MANUFACTURERS_BOX_TITLE . '</div>' .
                  '  <div class="ui-widget-content ui-corner-bottom infoBoxContents">' . $content . '</div>' .
                  '</div>';
      }

      return $data;
    }

    function execute() {
      global $SID, $oscTemplate;

      //if ((USE_CACHE == 'true') && empty($SID)) {
      if ((USE_CACHE == 'true') && empty($SID) && ($request_type == 'NONSSL')) { //changed because cache will show nonssl links on ssl pages 
        $output = tep_cache_manufacturers_box();
      } else {
        $output = $this->getData();
      }

      $oscTemplate->addBlock($output, $this->group);
    }

    function isEnabled() {
      return $this->enabled;
    }

    function check() {
      return defined('MODULE_BOXES_MANUFACTURERS_STATUS');
    }

    function install() {
      tep_db_query("insert into " . TABLE_CONFIGURATION . " (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, set_function, date_added) values ('Enable Manufacturers Module', 'MODULE_BOXES_MANUFACTURERS_STATUS', 'True', 'Do you want to add the module to your shop?', '6', '1', 'tep_cfg_select_option(array(\'True\', \'False\'), ', now())");
      tep_db_query("insert into " . TABLE_CONFIGURATION . " (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, set_function, date_added) values ('Content Placement', 'MODULE_BOXES_MANUFACTURERS_CONTENT_PLACEMENT', 'Left Column', 'Should the module be loaded in the left or right column?', '6', '1', 'tep_cfg_select_option(array(\'Left Column\', \'Right Column\'), ', now())");
      tep_db_query("insert into " . TABLE_CONFIGURATION . " (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, date_added) values ('Sort Order', 'MODULE_BOXES_MANUFACTURERS_SORT_ORDER', '0', 'Sort order of display. Lowest is displayed first.', '6', '0', now())");
      tep_db_query("insert into " . TABLE_CONFIGURATION . " (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, set_function, date_added) values ('Display in pages.', 'MODULE_BOXES_MANUFACTURERS_DISPLAY_PAGES', 'all', 'select pages where this box should be displayed. ', '6', '0','tep_cfg_select_pages(' , now())");
    }

    function remove() {
      tep_db_query("delete from " . TABLE_CONFIGURATION . " where configuration_key in ('" . implode("', '", $this->keys()) . "')");
    }

    function keys() {
      return array('MODULE_BOXES_MANUFACTURERS_STATUS', 'MODULE_BOXES_MANUFACTURERS_CONTENT_PLACEMENT', 'MODULE_BOXES_MANUFACTURERS_SORT_ORDER', 'MODULE_BOXES_MANUFACTURERS_DISPLAY_PAGES');
    }
  }
?>

-Dave

Link to comment
Share on other sites

Been reading up on this - basically browsers are getting stricter as time goes on. I did not have this problem with Chrome v37 or prior. Chrome Version 38.0.2125.104 m is when I first noticed this issue. So update your Chrome and test.

-Dave

Link to comment
Share on other sites

  • 3 weeks later...
  • 4 weeks later...

https://code.google.com/p/chromium/issues/detail?id=401365

 

Since my cert is sha-1 AND expires after 1/1/2017 I  get the warning triangle.... seriously? Hey Google - how about a little more time before you go nuclear on sha-1.

So really now the only fix is to go update to SHA256 certificates.  Easy enough, but a pia at the busy holiday shopping season.

-Dave

Link to comment
Share on other sites

  • 4 months later...

 

If it will help anyone else, in short, if you get the mixed content issue, using Chrome, press CTRL-SHIFT-J, reload the page and the problem code will be highlighted.

Pretty much involves just changing

'NONSSL'

to

$request_type

 

if that's not it post the problem code here

-Dave

Link to comment
Share on other sites

when i change 'NONSSL' to $request_type it breaks the whole site.

 

here is my bm_search.php as it looks right now:

<?php
/*
  $Id$

  osCommerce, Open Source E-Commerce Solutions
  http://www.oscommerce.com

  Copyright (c) 2010 osCommerce

  Released under the GNU General Public License
*/

  class bm_search {
    var $code = 'bm_search';
    var $group = 'boxes';
    var $title;
    var $description;
    var $sort_order;
    var $enabled = false;

    function bm_search() {
      $this->title = MODULE_BOXES_SEARCH_TITLE;
      $this->description = MODULE_BOXES_SEARCH_DESCRIPTION;

      if ( defined('MODULE_BOXES_SEARCH_STATUS') ) {
        $this->sort_order = MODULE_BOXES_SEARCH_SORT_ORDER;
        $this->enabled = (MODULE_BOXES_SEARCH_STATUS == 'True');

        $this->group = ((MODULE_BOXES_SEARCH_CONTENT_PLACEMENT == 'Left Column') ? 'boxes_column_left' : 'boxes_column_right');
      }
    }

    function execute() {
      global $oscTemplate;

      $data = '<div class="ui-widget infoBoxContainer">' .
              '  <div class="ui-widget-header infoBoxHeading">' . MODULE_BOXES_SEARCH_BOX_TITLE . '</div>' .
              '  <div class="ui-widget-content infoBoxContents" style="text-align: center;">' .
              '    ' . tep_draw_form('quick_find', tep_href_link(FILENAME_ADVANCED_SEARCH_RESULT, '', 'SSL', false), 'get') .
              '    ' . tep_draw_input_field('keywords', '', 'size="10" maxlength="30" style="width: 75%"') . ' ' . tep_draw_hidden_field('search_in_description', '1') . tep_hide_session_id() . tep_image_submit('button_quick_find.gif', MODULE_BOXES_SEARCH_BOX_TITLE) . '<br />' . MODULE_BOXES_SEARCH_BOX_TEXT . '<br /><a href="' . tep_href_link(FILENAME_ADVANCED_SEARCH) . '"><strong>' . MODULE_BOXES_SEARCH_BOX_ADVANCED_SEARCH . '</strong></a>' .
              '    </form>' .
              '  </div>' .
              '</div>';

      $oscTemplate->addBlock($data, $this->group);
    }

    function isEnabled() {
      return $this->enabled;
    }

    function check() {
      return defined('MODULE_BOXES_SEARCH_STATUS');
    }

    function install() {
      tep_db_query("insert into " . TABLE_CONFIGURATION . " (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, set_function, date_added) values ('Enable Search Module', 'MODULE_BOXES_SEARCH_STATUS', 'True', 'Do you want to add the module to your shop?', '6', '1', 'tep_cfg_select_option(array(\'True\', \'False\'), ', now())");
      tep_db_query("insert into " . TABLE_CONFIGURATION . " (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, set_function, date_added) values ('Content Placement', 'MODULE_BOXES_SEARCH_CONTENT_PLACEMENT', 'Left Column', 'Should the module be loaded in the left or right column?', '6', '1', 'tep_cfg_select_option(array(\'Left Column\', \'Right Column\'), ', now())");
      tep_db_query("insert into " . TABLE_CONFIGURATION . " (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, date_added) values ('Sort Order', 'MODULE_BOXES_SEARCH_SORT_ORDER', '0', 'Sort order of display. Lowest is displayed first.', '6', '0', now())");
    }

    function remove() {
      tep_db_query("delete from " . TABLE_CONFIGURATION . " where configuration_key in ('" . implode("', '", $this->keys()) . "')");
    }

    function keys() {
      return array('MODULE_BOXES_SEARCH_STATUS', 'MODULE_BOXES_SEARCH_CONTENT_PLACEMENT', 'MODULE_BOXES_SEARCH_SORT_ORDER');
    }
  }
?>
 
Link to comment
Share on other sites

Hi

 

My Chrome is saying

 

Mixed Content: The page at 'https://www.newarkmusical.com/'was loaded over HTTPS, but requested an insecure favicon 'http://templates.doteasy.com/ErrorPages/error404/'. This content should also be served over HTTPS.

 

 

I reckon that you have a link in your <head> tag to a favicon that is missing - your hosting company (DotEasy) is then redirecting to a generic 404 page as per their T&C - that's over HTTP so you get the warning.

 

You'll need to find the link to the favicon.ico in your code and get it linking to a file that exists or else remove the link altogether

Link to comment
Share on other sites

ok this is my ht_opensearch.php file.  Not really sure what i need to change

<?php
/*
  $Id$

  osCommerce, Open Source E-Commerce Solutions
  http://www.oscommerce.com

  Copyright (c) 2010 osCommerce

  Released under the GNU General Public License
*/

  class ht_opensearch {
    var $code = 'ht_opensearch';
    var $group = 'header_tags';
    var $title;
    var $description;
    var $sort_order;
    var $enabled = false;

    function ht_opensearch() {
      $this->title = MODULE_HEADER_TAGS_OPENSEARCH_TITLE;
      $this->description = MODULE_HEADER_TAGS_OPENSEARCH_DESCRIPTION;

      if ( defined('MODULE_HEADER_TAGS_OPENSEARCH_STATUS') ) {
        $this->sort_order = MODULE_HEADER_TAGS_OPENSEARCH_SORT_ORDER;
        $this->enabled = (MODULE_HEADER_TAGS_OPENSEARCH_STATUS == 'True');
      }
    }

    function execute() {
      global $oscTemplate;

      $oscTemplate->addBlock('<link rel="search" type="application/opensearchdescription+xml" href="' . tep_href_link('opensearch.php', '', 'NONSSL', false) . '" title="' . tep_output_string(STORE_NAME) . '" />', $this->group);
    }

    function isEnabled() {
      return $this->enabled;
    }

    function check() {
      return defined('MODULE_HEADER_TAGS_OPENSEARCH_STATUS');
    }

    function install() {
      tep_db_query("insert into " . TABLE_CONFIGURATION . " (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, set_function, date_added) values ('Enable OpenSearch Module', 'MODULE_HEADER_TAGS_OPENSEARCH_STATUS', 'True', 'Add shop search functionality to the browser?', '6', '1', 'tep_cfg_select_option(array(\'True\', \'False\'), ', now())");
      tep_db_query("insert into " . TABLE_CONFIGURATION . " (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, date_added) values ('Short Name', 'MODULE_HEADER_TAGS_OPENSEARCH_SITE_SHORT_NAME', '" . tep_db_input(STORE_NAME) . "', 'Short name to describe the search engine.', '6', '0', now())");
      tep_db_query("insert into " . TABLE_CONFIGURATION . " (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, date_added) values ('Description', 'MODULE_HEADER_TAGS_OPENSEARCH_SITE_DESCRIPTION', 'Search " . tep_db_input(STORE_NAME) . "', 'Description of the search engine.', '6', '0', now())");
      tep_db_query("insert into " . TABLE_CONFIGURATION . " (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, date_added) values ('Contact', 'MODULE_HEADER_TAGS_OPENSEARCH_SITE_CONTACT', '" . tep_db_input(STORE_OWNER_EMAIL_ADDRESS) . "', 'E-Mail address of the search engine maintainer. (optional)', '6', '0', now())");
      tep_db_query("insert into " . TABLE_CONFIGURATION . " (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, date_added) values ('Tags', 'MODULE_HEADER_TAGS_OPENSEARCH_SITE_TAGS', '', 'Keywords to identify and categorize the search content, separated by an empty space. (optional)', '6', '0', now())");
      tep_db_query("insert into " . TABLE_CONFIGURATION . " (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, date_added) values ('Attribution', 'MODULE_HEADER_TAGS_OPENSEARCH_SITE_ATTRIBUTION', 'Copyright (c) " . tep_db_input(STORE_NAME) . "', 'Attribution for the search content. (optional)', '6', '0', now())");
      tep_db_query("insert into " . TABLE_CONFIGURATION . " (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, set_function, date_added) values ('Adult Content', 'MODULE_HEADER_TAGS_OPENSEARCH_SITE_ADULT_CONTENT', 'False', 'Search content contains material suitable only for adults.', '6', '0', 'tep_cfg_select_option(array(\'True\', \'False\'), ', now())");
      tep_db_query("insert into " . TABLE_CONFIGURATION . " (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, date_added) values ('16x16 Icon', 'MODULE_HEADER_TAGS_OPENSEARCH_SITE_ICON', '" . HTTP_CATALOG_SERVER . DIR_WS_CATALOG . "favicon.ico', 'A 16x16 sized icon (must be in .ico format, eg http://server/favicon.ico). (optional)', '6', '0', now())");
      tep_db_query("insert into " . TABLE_CONFIGURATION . " (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, date_added) values ('64x64 Image', 'MODULE_HEADER_TAGS_OPENSEARCH_SITE_IMAGE', '', 'A 64x64 sized image (must be in .png format, eg http://server/images/logo.png). (optional)', '6', '0', now())");
      tep_db_query("insert into " . TABLE_CONFIGURATION . " (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, date_added) values ('Sort Order', 'MODULE_HEADER_TAGS_OPENSEARCH_SORT_ORDER', '0', 'Sort order of display. Lowest is displayed first.', '6', '0', now())");
    }

    function remove() {
      tep_db_query("delete from " . TABLE_CONFIGURATION . " where configuration_key in ('" . implode("', '", $this->keys()) . "')");
    }

    function keys() {
      return array('MODULE_HEADER_TAGS_OPENSEARCH_STATUS', 'MODULE_HEADER_TAGS_OPENSEARCH_SITE_SHORT_NAME', 'MODULE_HEADER_TAGS_OPENSEARCH_SITE_DESCRIPTION', 'MODULE_HEADER_TAGS_OPENSEARCH_SITE_CONTACT', 'MODULE_HEADER_TAGS_OPENSEARCH_SITE_TAGS', 'MODULE_HEADER_TAGS_OPENSEARCH_SITE_ATTRIBUTION', 'MODULE_HEADER_TAGS_OPENSEARCH_SITE_ADULT_CONTENT', 'MODULE_HEADER_TAGS_OPENSEARCH_SITE_ICON', 'MODULE_HEADER_TAGS_OPENSEARCH_SITE_IMAGE', 'MODULE_HEADER_TAGS_OPENSEARCH_SORT_ORDER');
    }
  }
?>
Link to comment
Share on other sites

I have looked everywhere I can possibly think of.  I still get this error message when I press Ctrl+Shift+J:

 

Mixed Content: The page at 'https://www.newarkmusical.com/'was loaded over HTTPS, but requested an insecure favicon 'http://templates.doteasy.com/ErrorPages/error404/'. This content should also be served over HTTPS.

 

I can't find any links to any missing favicons or any insecurity anywhere else on my site.  This is proving to be very frustrating since i haven't changed anything on my site and this just started happening.  In Firefox it shows that all of the SSL checks out fine, which makes me think that Google changed something to cause this issue in Chrome.  Any help would really be appreciated.  I don't really know where to go from this point.

Link to comment
Share on other sites

  • 1 month later...

Perhaps this might help someone...

 

I recently had an issue of this nature, but it popped up right after I enabled hotlink protection.  Anything I searched would return the mixed content issues...missing images...no lock in the address bar, etc.

 

I removed the hotlink protection from the .htaccess, and the problems went away.  So I put the hotlink entries back, and added 'https' entries.  That fixed the problem entirely.

 

Original entries:

RewriteCond %{HTTP_REFERER} !^http://mysite.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://mysite.com$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.mysite.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.mysite.com$      [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp|pdf)$ http://mysite.com [R,NC]

Modified entry:

RewriteCond %{HTTP_REFERER} !^http://mysite.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://mysite.com$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.mysite.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.mysite.com$      [NC]
RewriteCond %{HTTP_REFERER} !^https://mysite.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^https://mysite.com$      [NC]
RewriteCond %{HTTP_REFERER} !^https://www.mysite.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^https://www.mysite.com$      [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp|pdf)$ http://mysite.com [R,NC]
Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...