SSL mixed content warning - please help?

Page 1 of 1 (17 items)
This post has 16 Replies | 3 Followers

Posts 9
Branon Dempsey (Worship Team Training) | Forum Activity | Posted: Fri, May 5 2017 12:09 PM

We added RefTagger plugin to our sites: WTTU.co and worshipteamtraining.com  

This week, we added SSL to our sites, but it’s giving a mixed content warning. The URL gave us an error icon about the insecure connection coming into our sites.

Our coder told us that it was tracked down to be a pixel being added by the plugin. It looks like reftagger isn’t using a secure link. It's showing a mix of http coming into our https sites. It’s probably getting added to our site by a script. There is no way we can fix this on our end, since it's an incoming code.

We deactivated RefTagger and the SSL green lock fully appears. The site works perfect, but without RefTagger.

We want to use RefTagger, but we need both our sites to be fully secured.

Are you aware of this issue, and how can this be fixed?

Is there a way we can do this ourselves, please advise?

- Branon D. Email: info@WTTU.co

Posts 5
William Thomas | Forum Activity | Replied: Fri, May 5 2017 12:12 PM

Same here. It is on Reftagger's end. This began today a few hours ago. Now my site's ssl is broken because of mixed content: Christian Forums

Posts 13419
Mark Barnes | Forum Activity | Replied: Fri, May 5 2017 12:34 PM

Branon Dempsey (Worship Team Training):
Is there a way we can do this ourselves, please advise?

It is a problem at RefTagger's end. The only way for you to fix it at the moment would be to implement a Content Security Policy directive (you just add a meta tag to your HTML head).

In that case you have two options

First, you could block the non-https image from even loading, so users won't see the mixed content error: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content

As an alternative, you could force the browser to try https instead of http: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests 

Posts 5
William Thomas | Forum Activity | Replied: Fri, May 5 2017 12:57 PM

Adding your provided resource to my header worked:

<meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">

Much appreciated Mark!

God bless,

William

Posts 9

William, are you working in WP?

Posts 5
William Thomas | Forum Activity | Replied: Fri, May 5 2017 1:10 PM

No Branon, I'm using Vbulletin for a forum solution.

God bless,

William

Posts 9

Thank you Mark, we're in WordPress, using the Avada theme. Where do I put this code exactly?

Posts 5
William Thomas | Forum Activity | Replied: Fri, May 5 2017 1:13 PM

I put mine in my header template but I'm using Vbulletin.

I would think you could put it in the same template you put your reftagger code in? That is, unless you're using a plugin etc.

God bless,

William

Posts 9

right, we are using a plugin

Posts 9

Just want to say thank you Mark and William for chiming in so quickly :)

We resolved the issue!

Please note this for other WP users for https sites:

Intall the plugin: 

https://wordpress.org/plugins/wp-content-security-policy/

Go to Settings > Content Security Policy Options 

Inside the Window "Default SRC" type in https:

then DONE!

Posts 84
LogosEmployee
Mitch (Faithlife) | Forum Activity | Replied: Fri, May 5 2017 1:50 PM

Thanks for the reports gentlemen. It is indeed an issue on our end and we'll work on getting it fixed right away.

Posts 9

Glad to help Mitch! - blessings, bd

Posts 9

When installing the WP Content Security plug in, also install this other plugin - they can work together...

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content

Deactivate RefTag to test

Install both new security plugins to work

Turn on RefTag

Test on a separate browser (FireFox) and it should work :))

Posts 84
LogosEmployee
Mitch (Faithlife) | Forum Activity | Replied: Fri, May 5 2017 3:25 PM

Ok, reftagger should be back to using SSL as before. Please let me know here if it still isn't behaving itself :)

Posts 9
It's a no go. The security plug-in works great, but it's so secure, that it's not allowing the pixel from RefTag to go through as a https.  Because of this, RefTagger is still not working.  Our coder found that the pixel needs to go through as an https in order for RefTag to work. But RefTag is coming from an HTTP - not an HTTPS RefTag needs to fix the plug-in so that https sites like ours, can't take full advantage of both the plug-in and the security of SSL  Can Faithlife fix this?
Posts 13419
Mark Barnes | Forum Activity | Replied: Sat, May 6 2017 11:57 AM

Branon Dempsey (Worship Team Training):
The security plug-in works great, but it's so secure, that it's not allowing the pixel from RefTag to go through as a https.

Reftagger has been fixed at the server side, so it should be OK now. I'm not seeing RefTagger errors on either of your sites.

The problem with WTTU is that it's using lots of inline scripts and fonts, which are getting blocked by the new CSP. You should either disable the CSP (now that RefTagger is working server-side), or change the CSP to allow 'unsafe-inline'.

The problem with WorshipTeamTraining, is that lots of images are being served over http (not just RefTagger). For this site, to avoid mixed content errors, you should be using the CSP to upgrade insecure requests, rather than to block them (see my original post).

Posts 9
Thank you Mark, all works perfect! WTTU.co is fixed with RefTagger, appreciate the help and quick response, you guys are outstanding! You're right about the other mixed content into WTT, but your solution worked. We are glad to use RefTagger again and to have WTTU.co working perfect for our members!
Page 1 of 1 (17 items) | RSS