I have a script done by myself that uses jQuery Ajax functions to log some data from a web page when I access it. It takes some info and sends it to my local Apache host to save in a text file.
It worked for months, but I now getting an error related with this Same-Origin Policy(I know how it works and its purpose) and the browser is now ending the script execution showing this message:
The page at https://www.website.com/ displayed insecure content from
http://127.0.0.1:8081/whatever.php
Followed by this:
Refused to connect to connect 'http://127.0.0.1:8081/whatever.php?arguments=1' because it
violates the following Content Security Policy directive: "connect-src
https://www.website.com/* https://*.website.com/
https://*.website.net xhr: error: SECURITY_ERR: DOM Exception 18
That last domain is colored in red on the error message. A curious detail is that on the JavaScript code on Tampermonkey I have the #includes of those domains but not the red marked domain. I've added it and tested, but didn't work.
Every discussion I've found on Google tells how to disable this policy but in case that you're developing an extension, that is not my case.
This code will just run in my machine, I didn't have the intention to distribute it in any way so any solution will be appreciated, even if the solution is to change browser configuration directly.
If this' useful, I'm using Windows 7.
Tampermonkey Beta fixed its GM_xmlHttpRequest to be independent from the page's CSP.
Unfortunately it can not fix jQuery AJAX requests cause it doesn't have a clue what sites are going to be contacted.
If the page you're contacting is Facebook, then the CSP is sent only to Chrome 21-23, but not Chrome 24. So you can use Tampermonkey's #user-agent tag to simulate Chrome 24.
On your local server, the whatever.php you're sending the data to, set up CORS (ie. send header Access-Control-Allow-Origin: *).
You do not need anything from above. All you have to do in your ajax call is to add
script.php?callback=?&your_parametars_here
and in php file you just have to add this when retrieving data:
echo $_GET['callback'].$your_data_here
thats all!
Related
I keep getting the error below ONLY on Chrome Browser, however there is single call to http://fonts.gstatic.com/s/roboto/* within the page nor its included statics files. I do not have any idea why Chrome makes this call nor where it is coming from. Access same url from any other browser works except Chrome.
Please I will appreciate your help on fixing this error
Mixed Content: The page at 'https://www.domainname.com/' was loaded
over HTTPS, but requested an insecure font
'http://fonts.gstatic.com/s/roboto/v18/KFOmCnqEu92Fr1Mu5mxKOzY.woff2'.
This request has been blocked; the content must be served over HTTPS.
Just for the record and anyone that might be facing similar problem. As #Raj mentioned in his answer, Chrome does not let https sites use resources from http sites.
However, I narrowed down issue when I served an empty page with just HTML & Body tag and confirmed the issue still persisted. This tells me there might be something else wrong somewhere.
And it happened to be one of the installed Chrome Extensions that is injecting this fond resource. I fixed the issue by disabling all Extensions. I will figure out which one was doing the harm by re-enabling them one after another
Chrome does not let https sites use resources from http sites. Changing to https://fonts.gstatic.com/s/roboto/v18/KFOmCnqEu92Fr1Mu5mxKOzY.woff2 will solve the problem
I had the same problem. The solution was to deactivate a chrome plugin. In my case, it was VLC Video downloader, which inserted this path to an unsecure resource.
I am calling a rest API from Https deployed Application
to Http Rest API.
I have written the logic in JavaScript by using Angular Js framework.
The web service call got failed with the below message.
The page at 'https://********someurl****' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint
Requesting if any one can help me get out of this error.
Workaround:
1- Click the shield icon in the far right of the address bar.
Allow mixed content in Google Chrome
2- In the pop-up window, click "Load anyway" or "Load unsafe script".
If you want to set your Chrome browser to ALWAYS(in all webpages) allow mixed content:
1- Close Chrome. Chrome must be fully closed before the next steps.
2- Right-click the Google Chrome desktop icon (or Start Menu link). Select Properties.
3- At the end of the existing information in the Target field, add: " --allow-running-insecure-content" (There is a space before the first dash.)
4- Click OK.
5- Open Chrome and try to launch the content that was blocked earlier. It should work now.
This is just workaround and you need to solve by securing both app and rest api.
Use an https endpoint for your Rest API, otherwise you will end up with mixed content
HTTPS is important to protect both your site and your users from attack.
Mixed content degrades the security and user experience of your HTTPS site.
If you are unable to switch to https, another solution is to set up a server side end point which you access via https, which then makes the call to the http url and returns the result. In other words, making your own little HTTPS proxy to the http resource
In my case chrome was causing the issue, don't know why, other browsers work fine.
**Tip: I wasted two days trying to find out the cause, hope this will help someone.
I have a very old site built in ASP .Net 2008 by an external team who I have no contact with. All of a sudden a page doesn't seem to render properly in Chrome and FireFox but works fine with other browsers. The page is set with an iFrame.
Looking under Inspect Element (Chrome) for the page failing to render I see the error
Refused to display 'http://www.example.com/somepage.html' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN, SAMEORIGIN'.
So read a few articles and I may not understand this fully but it seems to me the error is, the domain requested will NOT allow itself to be displayed within a frame.
The URL above is not the URL I am familiar with (i.e. its third party, I don't have any control with it). Is there anyway to resolve this or is this purely the owner of the domain would have to allow? IF so why does it work in other browsers?
Is there anyway to resolve this
Not at your end.
or is this purely the owner of the domain would have to allow?
This
IF so why does it work in other browsers?
Speculating a little here, but SAMEORIGIN, SAMEORIGIN is not a valid value. It looks like Chrome is attempting error recovery and treating it as SAMEORIGIN
Quentin answer summaries it well.
In addition, if it is an external site beyond your control, they may have good reasons to forbid framing. (Like preventing click-jacking.)
They may also have included a Content-Security-Policy:frame-ancestors 'self' header which would have the same effect.
(And currently, a bug in Chromium (and Chrome) causes X-Frame-Options to take precedence over Content-Security-Policy while it should not.)
You may hack that if their site is served over http (not https) and you have control of a common network device through which all your users network traffic to this site must go. I mean, on that device, if it does allow you to do so, you may filter out 'undesired' headers from responses of this site.
Of course, this is a debatable hack. Depending on terms of uses of the 'victim' site, it could even be a legal issue to do so.
i'm writing a chrome extension that use a content_script.
the content script use XMLHttpRequest to send information about the page to my server, and base on that information the server respond with somethings that has to be done.
everything works well on http pages, but fail on http*s*.
The error i get is:
[blocked] The page at '==https page==' was loaded over HTTPS, but ran insecure content from '===myserver - http===': this content should also be loaded over HTTPS.
If i will use https on my server will it work? even though it's a different domain? is there any way to do it without using ssl on my server?
Thanks.
Yes, you can only call https content from an https page. See these for help on mixed content issue :
https://support.google.com/chrome/answer/1342714?hl=en
http://kb.iu.edu/data/bdny.html
You can test your extension with mixed content by enabling it explicitly as instructed at:
http://wiki.sln.suny.edu/display/SLNKB/Enabling+mixed+content+in+Google+Chrome
If you enable SSL/https on your web-server this will solve the issue for your users also. A cheaper and easier way to enable SSL on your server almost instantly would be to use Cloudflare.
I'm trying to make a bookmarklet to use on youtube and other video sites in order to easily get information from the video and store it elsewhere.
From today, apparently I can't do that anymore since youtube force itself on a https connection and from what I've read on chrome's console window, the bookmarklet doesn't run on a https page. Is there a workaround?
Here is the edited code:
javascript:(function(){var jsCode=document.createElement('script');jsCode.setAttribute('src','http://[mysite]/b/enter.php?i=userid&r='+Math.random());document.body.appendChild(jsCode);}());
Google Chrome (and possibly other browsers?) blocks HTTP resources from being accessed from an HTTPS document. This is to prevent "mixed content" attacks, in which insecure HTTP scripts could be intercepted by an attacker in transit over the network and altered to perform any kind of malicious activity (e.g., leak cookies or sensitive page information to a third party). Such a violation would undo any protection granted by HTTPS.
Chrome used to provide a prominent warning that an insecure resource was blocked, but now it no longer does so, and all insecure loads silently fail. The only solution available to you at this time is to use HTTPS yourself when you serve the script.
In Firefox, if you want to run a bookmarklet that references http on an https page, the way to get around this is to temporarily disable security.mixed_content.block_active_content. There are two ways to do this.
go to about:config in a new tab, search for security.mixed_content.block_active_content and then toggle the value to false. Run your bookmarklet and then toggle it back to true (since you probably want it turned on most of the time).
use an add-on / extension to toggle the block. A quick search turned up Toggle Mixed Active Content, and a quick test seemed to work well. There may be others.
Have fun and be careful. Here be dragons!
the bookmarklet doesn't run on a https page
Why not?
Try changing to a HTTPS domain yourself. Usually HTTP content is blocked when you're on a HTTPS domain.
I have created a work-around "fix" for this issue using a Greasemonkey userscript. You can now have bookmarklets on all CSP and https:// sites, plus have your bookmarklets in a nice, easily-editable library file instead of being individually squished into a bookmark.