SSL: Why does Chrome report mixed content? (Drupal 6)

views:

868

answers:

+3 Q:

SSL: Why does Chrome report mixed content? (Drupal 6)

I've just got a site running nicely with the whole site running through SSL, but Google Chrome is throwing a "This page contains some insecure elements" message, which isn't good in terms of end user trust-ability. All other browsers work fine, and give the golden padlock.

The site is a Drupal 6 e-commerce site, running on apache2, and the error appears in the front end as well as the admin area.

Does anyone know of any methods to find out exactly which elements are being considered insecure?

Edit: I've used Fiddler to check the traffic, and it really is all HTTPS. It even complains on the site holding page, which is very light and has no javascript etc on it...

+1 A:

Search the source for http:? Something like <Ctrl-U> <Ctrl-F> http: in firefox should do.

The insecure element is something loaded over insecure — non-https — connection, e.g. image, stylesheet, etc. you obviously need fully qualified URL to load insecure element/

Michael Krelin - hacker 2009-09-17 10:16:54

done that, there is only the links to:<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr"> Taking those out doesn't fix the problem...

jsims281 2009-09-17 10:21:48

could it be that stylesheet imports another stylesheet or some script-generated content?

Michael Krelin - hacker 2009-09-17 10:32:25

Hmm, there is some styling being done with jquery, but still, all the actual files are coming through https ... looking into this possibility as we speak

jsims281 2009-09-17 10:45:55

+1 A:

Use Firebug plugin of Firefox. In the NET tab all file locations are shown clearly. Try to find any files that are obtained from http protocol.

Cem Kalyoncu 2009-09-17 10:18:49

Good idea, I've just checked through all the files, and every one is HTTPS.Really scratching my head about this one...

jsims281 2009-09-17 10:35:53

+5 A:

It could be a browser issue? Have you tried restarting, or clearing all of your cache?

Tisch 2009-09-17 10:57:54

Wow, yes this was it. Restarted chrome and it works.<sheepish>

jsims281 2009-09-17 11:01:24

;-))) Have to vote this one up.

Michael Krelin - hacker 2009-09-17 11:19:33

In Chrome, this is trivial. Hit CTRL+SHIFT+J to open the developer tools, and it will plainly list the URL of the insecure content.

Try it on https://www.fiddler2.com/test/securepageinsecureimage.htm, for instance.

EricLaw -MSFT- 2009-09-17 14:51:26

FYI, I'm having the same issue with Drupal 6 and Ubercart 2.0. Everything you're saying is also applicable to my situation, and I can't figure it out for the life of me. I don't think this should come into play, but any chance you use ipsCA as your certificate provider?

Did you ever find a solution?

Pat 2010-02-05 22:58:24

This is not an answer. Also, the question is clearly resolved; see the green checkmark over there?

ephemient 2010-02-05 23:26:11

+1 A:

It's probably related to this bug:

http://code.google.com/p/chromium/issues/detail?id=24152

Which is why a restart fixed it.

2010-06-24 18:49:37

ansaurus

tags:

views:

answers:

SSL: Why does Chrome report mixed content? (Drupal 6)

related questions