Reputation: 283
Strange Mixed Content Issue
I've been having this error in Chrome Developer Tools for a while and I just can't seem to find the insecure http:// request. It points to my domain but without https://. http://www.example.com/ is not a script so I don't understand where it's coming from.
Mixed Content: The page at 'https://www.example.com/categoy/a-product.html' was loaded over HTTPS, but requested an insecure script 'http://www.example.com/'. This request has been blocked; the content must be served over HTTPS.
Mixed Content: The page at 'https://www.example.com/categoy/a-product.html' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://www.example.com/'. This request has been blocked; the content must be served over HTTPS.
Thanks
Upvotes: 0
Views: 2293
Answers (2)
Reputation: 6098
I had a similar issue. Is the page you are hosting a single page application with HTML5/history/push-state routing?
This type of routing goes by many names, but what it does is replace your hash-based url https://address.com/page/#client/side/route with regular routes such as https://address.com/page/client/side/route. When the files are hosted with a static file server, the file server may not know about the client-side routing and return a 404 instead of routing everything to index.html. Apparently, this can lead to the problem you described in Chrome even though the page might appear to work.
In short, many static file hosting tools are not suitable to serve a SPA with HTML5 routing, notably http-server (https://github.com/indexzero/http-server/issues/80). Try a different tool (e.g. serve) or use nginx with try_files $uri $uri/ index.html.
Upvotes: 1
Reputation: 3773
This means your web page is being accessed over https, but it uses resources that are served over http. Modern browsers like Chrome consider this as a security risk. The browser does not load the http resources and shows a warning in the developers console.
The solution is to change the protocol method from http to https for all resources that are being accessed over http.
See this link: https://developers.google.com/web/fundamentals/security/prevent-mixed-content/fixing-mixed-content#alternatives_to_csp
Upvotes: 0
Related Questions
- Mixed Content The page at was loaded over HTTPS but requested an insecure resource This request has been blocked the content must be served over HTTPS
- "Mixed content blocked" when running an HTTP AJAX operation in an HTTPS page
- Mixed-content request from HTTPS page to HTTP (non-HTTPS) localhost address not blocked
- Blocking mixed content from potentially trustworthy origins (127.0.0.0/8)
- cross domain XMLHttprequest
- Security issue: Parsing HTML with XMLHttpRequest?
- Why do I get "blocked:mixed-content"?
- allow mixed content coding Error
- Server-side requests and XmlHTTPRequest (client-side) and security
- Javascript: XMLHttpRequest problem with Cross-Origin Resource Sharing