We added RefTagger plugin to our sites: WTTU.co and worshipteamtraining.com
This week, we added SSL to our sites, but it’s giving a mixed content warning. The URL gave us an error icon about the insecure connection coming into our sites.
Our coder told us that it was tracked down to be a pixel being added by the plugin. It looks like reftagger isn’t using a secure link. It's showing a mix of http coming into our https sites. It’s probably getting added to our site by a script. There is no way we can fix this on our end, since it's an incoming code.
We deactivated RefTagger and the SSL green lock fully appears. The site works perfect, but without RefTagger.
We want to use RefTagger, but we need both our sites to be fully secured.
Are you aware of this issue, and how can this be fixed?
Is there a way we can do this ourselves, please advise?
- Branon D. Email: info@WTTU.co
Same here. It is on Reftagger's end. This began today a few hours ago. Now my site's ssl is broken because of mixed content: Christian Forums
Christian Forums
Branon Dempsey (Worship Team Training):Is there a way we can do this ourselves, please advise?
It is a problem at RefTagger's end. The only way for you to fix it at the moment would be to implement a Content Security Policy directive (you just add a meta tag to your HTML head).
In that case you have two options
First, you could block the non-https image from even loading, so users won't see the mixed content error: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content
As an alternative, you could force the browser to try https instead of http: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests
Adding your provided resource to my header worked:
<meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">
Much appreciated Mark!
God bless,
William
William, are you working in WP?
No Branon, I'm using Vbulletin for a forum solution.
Thank you Mark, we're in WordPress, using the Avada theme. Where do I put this code exactly?
I put mine in my header template but I'm using Vbulletin.
I would think you could put it in the same template you put your reftagger code in? That is, unless you're using a plugin etc.
right, we are using a plugin
Just want to say thank you Mark and William for chiming in so quickly :)
We resolved the issue!
Please note this for other WP users for https sites:
Intall the plugin:
https://wordpress.org/plugins/wp-content-security-policy/
Go to Settings > Content Security Policy Options
Inside the Window "Default SRC" type in https:
then DONE!
Thanks for the reports gentlemen. It is indeed an issue on our end and we'll work on getting it fixed right away.
Glad to help Mitch! - blessings, bd
When installing the WP Content Security plug in, also install this other plugin - they can work together...
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content
Deactivate RefTag to test
Install both new security plugins to work
Turn on RefTag
Test on a separate browser (FireFox) and it should work :))
Ok, reftagger should be back to using SSL as before. Please let me know here if it still isn't behaving itself :)
Branon Dempsey (Worship Team Training):The security plug-in works great, but it's so secure, that it's not allowing the pixel from RefTag to go through as a https.
Reftagger has been fixed at the server side, so it should be OK now. I'm not seeing RefTagger errors on either of your sites.
The problem with WTTU is that it's using lots of inline scripts and fonts, which are getting blocked by the new CSP. You should either disable the CSP (now that RefTagger is working server-side), or change the CSP to allow 'unsafe-inline'.
The problem with WorshipTeamTraining, is that lots of images are being served over http (not just RefTagger). For this site, to avoid mixed content errors, you should be using the CSP to upgrade insecure requests, rather than to block them (see my original post).