Chrome JS Error: Mixed Content: for roboto - javascript

I keep getting the error below ONLY on Chrome Browser, however there is single call to http://fonts.gstatic.com/s/roboto/* within the page nor its included statics files. I do not have any idea why Chrome makes this call nor where it is coming from. Access same url from any other browser works except Chrome.
Please I will appreciate your help on fixing this error
Mixed Content: The page at 'https://www.domainname.com/' was loaded
over HTTPS, but requested an insecure font
'http://fonts.gstatic.com/s/roboto/v18/KFOmCnqEu92Fr1Mu5mxKOzY.woff2'.
This request has been blocked; the content must be served over HTTPS.

Just for the record and anyone that might be facing similar problem. As #Raj mentioned in his answer, Chrome does not let https sites use resources from http sites.
However, I narrowed down issue when I served an empty page with just HTML & Body tag and confirmed the issue still persisted. This tells me there might be something else wrong somewhere.
And it happened to be one of the installed Chrome Extensions that is injecting this fond resource. I fixed the issue by disabling all Extensions. I will figure out which one was doing the harm by re-enabling them one after another

Chrome does not let https sites use resources from http sites. Changing to https://fonts.gstatic.com/s/roboto/v18/KFOmCnqEu92Fr1Mu5mxKOzY.woff2 will solve the problem

I had the same problem. The solution was to deactivate a chrome plugin. In my case, it was VLC Video downloader, which inserted this path to an unsecure resource.

Related

The page was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint

I am calling a rest API from Https deployed Application
to Http Rest API.
I have written the logic in JavaScript by using Angular Js framework.
The web service call got failed with the below message.
The page at 'https://********someurl****' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint
Requesting if any one can help me get out of this error.
Workaround:
1- Click the shield icon in the far right of the address bar.
Allow mixed content in Google Chrome
2- In the pop-up window, click "Load anyway" or "Load unsafe script".
If you want to set your Chrome browser to ALWAYS(in all webpages) allow mixed content:
1- Close Chrome. Chrome must be fully closed before the next steps.
2- Right-click the Google Chrome desktop icon (or Start Menu link). Select Properties.
3- At the end of the existing information in the Target field, add: " --allow-running-insecure-content" (There is a space before the first dash.)
4- Click OK.
5- Open Chrome and try to launch the content that was blocked earlier. It should work now.
This is just workaround and you need to solve by securing both app and rest api.
Use an https endpoint for your Rest API, otherwise you will end up with mixed content
HTTPS is important to protect both your site and your users from attack.
Mixed content degrades the security and user experience of your HTTPS site.
If you are unable to switch to https, another solution is to set up a server side end point which you access via https, which then makes the call to the http url and returns the result. In other words, making your own little HTTPS proxy to the http resource
In my case chrome was causing the issue, don't know why, other browsers work fine.
**Tip: I wasted two days trying to find out the cause, hope this will help someone.

JavaScript, images, and css do not load in Firefox over HTTPS

This is one of those issues where I'm going to punch myself in the face for not figuring out, but here goes anyway.
I've got a simple Laravel app (Laravel really has nothing to do with this anyway) and I need it to load its assets. The problem is, nothing loads. If you view page source and click on one of the links to the asset, it loads fine. If you view the network panel in firebug, no requests are even made for the files. That's 0 requests being made for the files.
I should mention, though, that this only happens in firefox. An item of note is that this page is served over HTTPS via self signed certificate (it's on a dev machine). Chrome and Safari both load the assets fine.
Let me know if you need any more information and I'll be happy to provide.
Here are some screens
It might be that you are using a http protocol for the resources whereas your page is being served with a https protocol as you say. Match the protocol for the page with the protocol for the resources that you are loading. e.g. You could use //: rather than http:// or https:// for your resources.
This issue was very obscure, and I didn't find it until starting Firefox in safe mode. This disabled all addons. When I did that, the page worked fine. The source of the issue was Adblock Plus. After disabling that addon the page works just fine. For some reason Adblock Plus doesn't play well with certain pages over HTTPS, so it may be a bug for them, or the page I was trying to load is being blocked by Adblock (don't know why, it's just a dev machine)

AppCache with PhoneGap and Jquery mobile

I recently set my appname.appcache contents to this:CACHE MANIFEST
# 2010-02-10 v1
CACHE:
index.html
test1.html
test2.html
# many more project root html files
#stylesheets
css/main.css
css/normalize.css
css/themes2/jquery.mobile-1.0.min.css
#gameMessages
some-folder/name.html
#many more like this
#js
js/vendor/jquery.mobile-1.0.1.min.js
# a few more files
Now when I navigate to index.html I get an error in google-chrome:
Failed to load resource: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access. file:///home/username/Desktop/project-name/test1.html
XMLHttpRequest cannot load file:///home/user-name/Desktop/project-name/test1.html. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access.
In phonegap's config.xml file:
<access origin="*"/>
So does this solve the problem when run on real mobile devices. And why am I getting this error just on Chrome. On Firefox it runs fine, by asking for a permission to store files.
And does appCache improve performance for application built with phonegap?. Does Caching resources already available on hardware make things faster? I know that content on cache than those on HD are processed really quick. Hence the appCache facility is used in this case.
I had also get the same error, but in my case it was due to the fact that i was running my file on http and caching resources which were on https therefore not on the same origin.
If you have that kind of issue you can look into it.
Not really an answer but thanks for pointing me in the right direction in solving my own problem. (posted here in case it ever helps someone with a similar issue - I tried adding just a comment but the text is too long)
I'd been using a cache manifest for the web version of an app I'm building but hadn't considered it for the PhoneGap build. When you ask "does appCache improve performance for application built with phonegap?" for me at least, the resounding answer is a big yes.
I'm using magnificPopup loading ajax type pop-ups, all worked fine (even when the phone/device is offline) except for when the popup content includes a RoyalSlider gallery - these successfully load the ajax content (I can tell thanks to magnificPopup's very useful ajax callbacks) but they don't go on to add this to the DOM. I still have no idea exactly why that is, I'm guessing the problem is somewhere in RoyalSlider's code, perhaps looking for a resource it considers to be online? But anyways, implementing a cache manifest has completely solved the problem for me. Thanks.

Google Chrome, Same-Origin Policy killing Tampermonkey script

I have a script done by myself that uses jQuery Ajax functions to log some data from a web page when I access it. It takes some info and sends it to my local Apache host to save in a text file.
It worked for months, but I now getting an error related with this Same-Origin Policy(I know how it works and its purpose) and the browser is now ending the script execution showing this message:
The page at https://www.website.com/ displayed insecure content from
http://127.0.0.1:8081/whatever.php
Followed by this:
Refused to connect to connect 'http://127.0.0.1:8081/whatever.php?arguments=1' because it
violates the following Content Security Policy directive: "connect-src
https://www.website.com/* https://*.website.com/
https://*.website.net xhr: error: SECURITY_ERR: DOM Exception 18
That last domain is colored in red on the error message. A curious detail is that on the JavaScript code on Tampermonkey I have the #includes of those domains but not the red marked domain. I've added it and tested, but didn't work.
Every discussion I've found on Google tells how to disable this policy but in case that you're developing an extension, that is not my case.
This code will just run in my machine, I didn't have the intention to distribute it in any way so any solution will be appreciated, even if the solution is to change browser configuration directly.
If this' useful, I'm using Windows 7.
Tampermonkey Beta fixed its GM_xmlHttpRequest to be independent from the page's CSP.
Unfortunately it can not fix jQuery AJAX requests cause it doesn't have a clue what sites are going to be contacted.
If the page you're contacting is Facebook, then the CSP is sent only to Chrome 21-23, but not Chrome 24. So you can use Tampermonkey's #user-agent tag to simulate Chrome 24.
On your local server, the whatever.php you're sending the data to, set up CORS (ie. send header Access-Control-Allow-Origin: *).
You do not need anything from above. All you have to do in your ajax call is to add
script.php?callback=?&your_parametars_here
and in php file you just have to add this when retrieving data:
echo $_GET['callback'].$your_data_here
thats all!

Opera: .js file won't load

I have a page that calls a script in the header, like so:
<script type="text/javascript" src="http://www.discoverfire.net/analytics/l/a.js"></script>
(Note you will NOT be able to load this script as it is DNSd locally as a staging domain)
Very Simple.
Firefox, IE, Chrome all have no problem with this basic, square-one feature.
Opera, however, refuses to load the script. Any variables or functions in it are "undefined" and in dragonfly, the script tag is shown in the DOM, but the "Script" tab says "No script files found."
I go to google and find random pages, their external .js files seem to work just fine.
Any idea why Opera hates me? Is there a security/javascript thing I am missing?
A few things that may be relevant, but really should make no difference:
The script is on a different domain than the page.
The script is only available on my local network. The domain is DNS'd locally for staging, from outside the network it points somewhere else. Does Opera have a setting to secretly use an external DNS server?
The script works on every other browser I have.
The problem isn't in the script content. I've reduced it to a single line with an alert and it simply won't work in Opera.
Update:
OK, the problem seems to be how Opera treats the domain.
I have moved the script to several other domains, and it DOES work just fine. I've moved it to several paths on the locally DNS'd domain, and it won't work from anywhere on that domain.
This leads me to believe that the problem is that Opera can't, or won't, load the script from this domain for some reason.
Strangely, there seems to be no problem loading pages and other resources from the domain, the problem lies in .js files only.
The domain is registered, but parked. We DNS'd it locally so we can use it for staging/testing, and that may be messing with Opera somehow with JS security.
I could be wrong though - I really have no idea. If anyone else has one, I'd love to hear it.
Update 2:
Regarding Dragonfly and the error console/developer tools, they don't say anything about the script at all. There are plenty of Undefined Variable errors for variables and functions that should be present from the script, but other than that, no errors. Oddly, the script tag does show up in the DOMM, but if I click on the Scripts tab, it says "No Scripts Found".
Update 3:
There is no blocked content, so we can at least rule out that setting.
You may want to see if its ad blocker is getting in the way. Your URL contains the text "analytics," which may be part of a "block this" pattern. I know some block Google analytics through Opera. An easy test for this may be to try moving your .js to a different path on the host.
Have you checked Opera's error console? Tools > Advanced > Error Console
It should provide information on why it won't load or if there another error of some kind.
Like Jacob suggested, you should check if it isn't blocked. To do this:
Right-click on your page
Select "Block Content..." in the context menu
At the top of the screen, click the "Details..." button
You should see the URL's that are blocked on the current page
You should ask in the Opera Forums. I had some problems with Opera in the past and they answered quickly.
Is the host serving the correct mime type of the JavaScript file. It's not a commonly known fact but the type=text/javascript attribute is actually ignored by browsers as it trusts that the server is specifying the correct type.
Additionally the mime type of text/javascript is actually wrong when it comes to JavaScript, the actual JavaScript mime type is application/ecmascript (if I recall correctly, it may be application/javascript though). If you don't believe me you should have a look here where I had more information and linked off to the Douglas Crockfords videos where he discussed the mime type.
I had something similar recently - opera would just not run a script on an external server... nor if I downloaded it and had it on localhost. It only ran when copy/pasted between script tags into the html page.
It turned out that the script was encoded with UTF-16 and that was somehow confusing the browser. When I converted it to UTF-8, everything ran fine.
So, just in case and if you still have that problem, check out the encoding settings...
I had the exact same issue, tying to load a script from a localhost/development server into a page, hosted on the public server at no avail. The only way I managed the script to load in Opera was to save a copy of the page into a location on the same development server and use the tag to refer to the original domain to get the page's .css and .js linked files. That worked. Looks like Opera doesn't like to mix public and localhost domains, but handles localhost without complaints.
what you're seeing is probably Opera's security precaution against the so-called "phish pharm" attacks: cross-network protection. You can not mix content from a public server and content from a local server.
Have a look at my answer here for a workaround:
Opera won't load some JavaScript files

Categories

Resources