tags:

views:

31

answers:

2
Q: 

How can you tell exactly what insecure items are causing a browser to warn about mixed secure and insecure items?

In Firefox, I view my site and get no warnings about insecure mixed content.

Using FireBug, I can see that every request is https.

In Chrome, I get the https crossed out in the address bar.

Chrome's address bar

Chrome's error

I viewed source in Chrome and then ran this regex /http(?!s)/ but the only things it found were the href attributes for some external links and the doc type and http-equiv meta tags.

Using Chrome's Resource Tracking revealed all requests were https too.

This includes Google Analytics, jQuery from Google's CDN and Facebook like scripts.

Is there any specific tool I can use to show non https requests, or anything further I can try?

Would it help if I linked you to the live site?

Thanks!

+1  A: 

Do you have the HttpFox plugin for FireFox? That'd work, I think. Among other things, it reports on the URL, Method, Result Code, and bytes of all the assets that a web page requests. It's what I've used to trap the occasional non-HTTPS graphic, etc. I'm sure the other suggested tools would do the same...

LesterDove  2010-10-13 01:27:37
Nope, but I'll go check it out now. Thanks.
alex  2010-10-13 01:32:28
Damn, couldn't find any non HTTPS requests with it.
alex  2010-10-13 01:40:52
+2  A: 

I would recommend Fiddler2.

From the site:

Fiddler is a Web Debugging Proxy which logs all HTTP(S) traffic between your computer and the Internet. Fiddler allows you to inspect all HTTP(S) traffic, set breakpoints, and "fiddle" with incoming or outgoing data. Fiddler includes a powerful event-based scripting subsystem, and can be extended using any .NET language.

Cory Larson  2010-10-13 01:31:19
You accepted this answer... what did you find out?
Cory Larson  2010-10-13 03:15:08

related questions

How would you implement a secure static login credentials system in Java?
Blocking https url's in a embedded gecko browser
Restrict Apache to only allow access using SSL for some directories
How to put up an off-the-shelf https to http gateway?
Rails SSL Requirement plugin -- shouldn't it check to see if you're in production mode before redirecting to https?
What's the best way to learn server RESTful code?
Force HTTPS. How is it possible?
How can I get LWP to validate SSL server certificates?
What must I do to make content such as images served over HTTPS be cached client-side?
What does a PHP developer need to know about https / secure socket layer connections?
What's a clean/simple way to ensure the security of a page?
Making sure a web page is not cached, across all browsers.
Best way in asp.net to force https for an entire site?
Any way to handle Put and Delete verbs in ASP.Net MVC?
Response.Redirect with POST instead of Get?
How to get the correct Content-Length for a POST request.
IIS7: HTTP->HTTPS Cleanly
[ASP.NET ERROR] The request was aborted: Could not create SSL/TLS secure channel.
Testing HTTPS files with MAMP
How do banks remember "your computer"?
Avoid traffic shaping by using ssh on port 443
Convince Firefox to send an If-Modified-Since header over HTTPS
How do you redirect HTTPS to HTTP?
Using mod_rewrite to Mimic SSL Virtual Hosts?
Options for Google Maps over SSL