I'm using Jira in https and I have some adjustments I'd like to make with some extra JS. My JS is hosted on an insecure server (no https available).
When I dynamically load the insecure JS file by inserting it into the DOM (using a browser extension), Chrome tells me:
[blocked] The page at https://jiraserver/browse ran insecure content from http://myserver/jira.js.
I can see how this is very secure and all, but I don't care. I want to load that insecure JS file. How can I tell Chrome to trust me and just do what I say?
My insertion method (in the extension code):
document.body.appendChild((function(s){s.src='http://myserver/jira.js';return s;})(document.createElement('script')));
According to this Chrome Support Q&A you can launch your Chrome with the following command line flag to prevent Chrome from checking for insecure content:
--allow-running-insecure-content
Here is some documentation on how to run Chrome with command flags
Chrome simply will not load an insecure script in a secure page.
Does your jira.js have to be loaded from a server? The best way to inject it into the page would be by including it in your extension bundle.
var s = document.createElement('script');
s.src = chrome.extension.getURL("jira.js");
s.onload = function() {
this.parentNode.removeChild(this);
};
(document.head||document.documentElement).appendChild(s);
If you must load it from a server, I suppose your extension could make a XHR request for the script, then inject the response into the page.
// make a XHR request, then...
var s = document.createElement('script');
s.textContent = codeFromXHR;
(document.head||document.documentElement).appendChild(s);
s.parentNode.removeChild(s);
I had the same problem:
Our client link a CSS file and js file hosted in our server on a domain which is not secure.
We will solve it by using Amazon CloudFront. They server HTTPS using their certificates which is verified.
That's not a bad solution for use since CDN is often a good idea and these resources are somewhat static. (The CSS file is tailored for each client and is in fact generated but a sane TTL can be configured and the CDN flushed if required)
Note that the CDN solution may even be more affordable than actually buying a certificate depending on your data load.
I have faced the same issue and find that if we are logged in to our google account in chrome then Chrome stop loading the insecure content in https.
If we use incognito window in to load the website which has insecure content then it will work.
Related
I was checking for some load latency on a php page I am building.
I discovered some resources that I wasn't loading:
l.js
r.js
icp
s.gif
I disabled all css and js files (including jquery) in my page but still see these files loading. The s.gif is especially disturbing because the request has the URL of my php file on it and I really don't want that information out there. (I am running the server over https for security but don't want to have to put a user login on top of the server.
I am serving on OS X Server and using Safari as the debugger and load analyzer.
This issue did not show code that explaind where the resource requests were coming from. I started disabling browser extensions and that did the job. Apparently they were injecting resource requests with the downloaded pages.
i'm writing a chrome extension that use a content_script.
the content script use XMLHttpRequest to send information about the page to my server, and base on that information the server respond with somethings that has to be done.
everything works well on http pages, but fail on http*s*.
The error i get is:
[blocked] The page at '==https page==' was loaded over HTTPS, but ran insecure content from '===myserver - http===': this content should also be loaded over HTTPS.
If i will use https on my server will it work? even though it's a different domain? is there any way to do it without using ssl on my server?
Thanks.
Yes, you can only call https content from an https page. See these for help on mixed content issue :
https://support.google.com/chrome/answer/1342714?hl=en
http://kb.iu.edu/data/bdny.html
You can test your extension with mixed content by enabling it explicitly as instructed at:
http://wiki.sln.suny.edu/display/SLNKB/Enabling+mixed+content+in+Google+Chrome
If you enable SSL/https on your web-server this will solve the issue for your users also. A cheaper and easier way to enable SSL on your server almost instantly would be to use Cloudflare.
I am running a tomcat server and my localhost base domain is :
C:/apache/webapps/ROOT/
My webpage is also present here.
However the javascripts are present in an external location.
D:/something/something
And i am importing them the following way
<script src="D:/something/something/js1.js"></script>
In IE the page loads fine and able to locate the scripts, however with chrome it fails.
On debugging I see that chrome tries to append the following:
http://localhost:8080/D:/something/something
How do i get it to work on chrome without copying the scripts to base location?
For doing anything useful from within the JS code, you'll most likely have to obey the same origin policy. This means you'll have to configure your Tomcat so that it serves the scripts, too.
If you really insist on reading the scripts from local files, that's what file:// URLs do.
You can't do this because you will search for D:/something/something/js1.js in the user/client computer.
You can do it calling (read and print) the file via PHP (D:/something/something/js1.js.php) or any other server side programming language or installing a webserver in your external location to call the file via URL like myCDN.mydomain.com.
EDIT: If you will only work in localhost, use #Pointy and #Konstantin K solutions :)
If a page is served over https but the associated files are served from a non-secure http website, Chrome will throw the “insecure content” warning. Is there an event/property that I could be using to know when Chrome has blocked an unsecure content and also know if the user allowed the insecure content. A shield appears at the right of the adress bar when Chrome loads "insecure content" and the user has the possibility to click on this shield and still run the script. Is there any event for this?
Thank you.
The only way I can think to do this would be to serve a file over non-https, that would include a function to run if they allow non-secure content.
This script will obviously only be included if they've allowed the non-secure content to be loaded, and therefore works as your event check. You can therefore also check if these haven't been allowed by storing a global variable in the non-secure file & checking for it in a secure JS file (or within the document).
Obviously, if you're serving content via SSL, you should really ensure all of your content included is also over SSL.
I have a website at example.com and I am serving all external resources from cdn.example.com. So in my HTML page at example.com I have something like:
<script type="text/javascript" src="http://cdn.example.com/script.js"></script>
In my script I want to create a Web Worker, so I do:
worker = new Worker("http://cdn.example.com/script.js");
But this fails on Firefox 16 with Failed to load script: http://cdn.example.com/script.js (nsresult = 0x805303f4) error. It works on Safari 6 and Chrome 22.
It seems the problem is because origins differ. Effective origin of the script is example.com and cdn.example.com does not match that. This seems a bug because not CORS not setting document.domain helps (or at least I couldn't make it to work by playing with that). Is there any way to make it work?
At the end I made website at example.com serve a simple JavaScript code which includes the real web worked code:
importScripts('http://cdn.example.com/script.js');
and then create web worker by pointing to that.