SSL mixed content warning - please help?

We added RefTagger plugin to our sites: WTTU.co and worshipteamtraining.com

This week, we added SSL to our sites, but it’s giving a mixed content warning. The URL gave us an error icon about the insecure connection coming into our sites.

Our coder told us that it was tracked down to be a pixel being added by the plugin. It looks like reftagger isn’t using a secure link. It's showing a mix of http coming into our https sites. It’s probably getting added to our site by a script. There is no way we can fix this on our end, since it's an incoming code.

We deactivated RefTagger and the SSL green lock fully appears. The site works perfect, but without RefTagger.

We want to use RefTagger, but we need both our sites to be fully secured.

Are you aware of this issue, and how can this be fixed?

Is there a way we can do this ourselves, please advise?

- Branon D. Email: info@WTTU.co

Find more posts tagged with

Comments

William Thomas

Same here. It is on Reftagger's end. This began today a few hours ago. Now my site's ssl is broken because of mixed content: Christian Forums

Mark Barnes

Is there a way we can do this ourselves, please advise?

It is a problem at RefTagger's end. The only way for you to fix it at the moment would be to implement a Content Security Policy directive (you just add a meta tag to your HTML head).

In that case you have two options

First, you could block the non-https image from even loading, so users won't see the mixed content error: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content

As an alternative, you could force the browser to try https instead of http: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests

William Thomas

https://community.logos.com/discussion/comment/900532#Comment_900532

Adding your provided resource to my header worked:

Much appreciated Mark!

God bless,

William

Branon Dempsey (Worship Team Training)

https://community.logos.com/discussion/comment/900534#Comment_900534

William, are you working in WP?

William Thomas

https://community.logos.com/discussion/comment/900539#Comment_900539

No Branon, I'm using Vbulletin for a forum solution.

God bless,

William

Branon Dempsey (Worship Team Training)

https://community.logos.com/discussion/comment/900532#Comment_900532

Thank you Mark, we're in WordPress, using the Avada theme. Where do I put this code exactly?

William Thomas

https://community.logos.com/discussion/comment/900541#Comment_900541

I put mine in my header template but I'm using Vbulletin.

I would think you could put it in the same template you put your reftagger code in? That is, unless you're using a plugin etc.

God bless,

William

Branon Dempsey (Worship Team Training)

https://community.logos.com/discussion/comment/900542#Comment_900542

right, we are using a plugin

Branon Dempsey (Worship Team Training)

https://community.logos.com/discussion/comment/900543#Comment_900543

Just want to say thank you Mark and William for chiming in so quickly

We resolved the issue!

Please note this for other WP users for https sites:

Intall the plugin:

https://wordpress.org/plugins/wp-content-security-policy/

Go to Settings > Content Security Policy Options

Inside the Window "Default SRC" type in https:

then DONE!

Mitch (Faithlife)

Thanks for the reports gentlemen. It is indeed an issue on our end and we'll work on getting it fixed right away.

Branon Dempsey (Worship Team Training)

https://community.logos.com/discussion/comment/900552#Comment_900552

Glad to help Mitch! - blessings, bd

Branon Dempsey (Worship Team Training)

https://community.logos.com/discussion/comment/900547#Comment_900547

When installing the WP Content Security plug in, also install this other plugin - they can work together...

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content

Deactivate RefTag to test

Install both new security plugins to work

Turn on RefTag

Test on a separate browser (FireFox) and it should work )

Mitch (Faithlife)

Ok, reftagger should be back to using SSL as before. Please let me know here if it still isn't behaving itself

Branon Dempsey (Worship Team Training)

https://community.logos.com/discussion/comment/900562#Comment_900562

It's a no go.

The security plug-in works great, but it's so secure, that it's not allowing the pixel from RefTag to go through as a https.

Because of this, RefTagger is still not working.

Our coder found that the pixel needs to go through as an https in order for RefTag to work. But RefTag is coming from an HTTP - not an HTTPS

RefTag needs to fix the plug-in so that https sites like ours, can't take full advantage of both the plug-in and the security of SSL

Can Faithlife fix this?

Mark Barnes

https://community.logos.com/discussion/comment/900639#Comment_900639

The security plug-in works great, but it's so secure, that it's not allowing the pixel from RefTag to go through as a https.

Reftagger has been fixed at the server side, so it should be OK now. I'm not seeing RefTagger errors on either of your sites.

The problem with WTTU is that it's using lots of inline scripts and fonts, which are getting blocked by the new CSP. You should either disable the CSP (now that RefTagger is working server-side), or change the CSP to allow 'unsafe-inline'.

The problem with WorshipTeamTraining, is that lots of images are being served over http (not just RefTagger). For this site, to avoid mixed content errors, you should be using the CSP to upgrade insecure requests, rather than to block them (see my original post).

Branon Dempsey (Worship Team Training)

https://community.logos.com/discussion/comment/900660#Comment_900660

Thank you Mark, all works perfect! WTTU.co is fixed with RefTagger, appreciate the help and quick response, you guys are outstanding! You're right about the other mixed content into WTT, but your solution worked. We are glad to use RefTagger again and to have WTTU.co working perfect for our members!