Reputation: 3866
Getting mixed-content errors even though I’m only using https URLs
I'm having the SSL warning messages all over my website after switching to SSL for several assets:
Mixed Content: The page at 'https://example.com' was loaded over HTTPS, but requested an insecure script 'http://example.com/script.js'. This request has been blocked; the content must be served over HTTPS.
- I checked the page source, every single script/css is requested over https.
- I even checked the dynamically created html by using the code inspector.
- I disabled Javascript in case a script was loading these assets dynamically.
None of these things showed a single http:// request. I'm out of ideas to try and find what is causing this. Any ideas or suggestions?
Upvotes: 2
Views: 4131
Answers (2)
Reputation: 847
My 2 cents regarding this issue.
I have a project hosted on one domain that works flawlessly.
I need to make it international so I am cloning the master branch to a new branch, making some necessary text changes and deploying new site (new domain) with code from the new branch.
Everything works fine, except 1 ajax call (api route) that gets blocked due to Mixed content.
First things first, I checked these 3 things:
- I check in the Network tab in dev tools and it is actually loaded through https.
- I open the file directly in browser and it is https.
- I try to open it as http:// and it automatically redirects to https://
This is very strange because the 2 domains are both using Cloudflare and their backend setup is identical, the code is the same (only text changes for the new one) yet for the new setup there is console error for 1 specific api route, an all others (some 20+ ajax requests across the page) work just fine. They are even using the same function to make the Ajax request, so it is definitely not a configuration error.
After doing some investigation I found out the issue:
The call that was 'buggy' was ending in /. For example, all other calls were made to:
https://example.com/api/posts
https://example.com/api/users
And this particular one was making requests to
https://example.com/api/todos/
The slash at the end was making it fail with mixed content issue. I am not sure why this is causing issue and how it isn't an issue on the original site (since there the same ajax call works just fine), but it definitely fixed my issue.
If I figure out what caused the / to fail so miserably, I will post an update.
Upvotes: 1
Reputation: 87994
When seeing a mixed-content message about a http://example.com/script.js (non-https) URL that doesn’t actually appear anywhere in your sources, the basic strategy to follow is:
- Replace the
httpin the URL withhttpsand put that into the address bar in your browser:https://example.com/script.js - If your browser redirects from that
https://example.com/script.jsURL back to (non-https)http://example.com/script.js, then you’ve found the cause:example.com/script.jsisn’t actually available from anhttpsURL, and ends up getting served from ahttpURL even though your source is requesting thehttpsURL.
Upvotes: 4
Related Questions
- https Mixed Content errors
- Mixed content errors with https?
- Mixed content linked correctly still shows error on chrome
- HTTPS assets loading over HTTP, even though src is specified as 'https'
- Mixed content - SSL http/https issue
- Resolving Mixed Content warning from external insecure server
- Google Chrome mixed-content error on HTTPS
- Getting around https mixed content issues?
- Drupal - Mixed content error when using ssl certificate
- http content on a https page - Mixed content