Making sure Magento uses secure URLs when its supposed to

Question

Is there a way to make sure Magento calls secure urls when its in the checkout process? The problem is the web browser complains when over httpS because not all resources are secure. In the source I have things like <script type="text/javascript" src="httP://something"> which triggers this error. I'm afraid customer won't think the site is secure.

I know I can use this <?php $this->getUrl('something/', array('_secure'=>true)) ?> However I don't want all my javascript resources to be secure all the time, just in the checkout process.

It seems Magento should handle this automatically when you configure it use frontend SSL, but apparently not.

So my question is what is the best way to handle this?

Thanks

Answer 1

Magento serves out everything secure that it controls. The problems usually come from scripts that load content from other sites. Magento doesn't have any control over these. It would have to literally rewrite the script in order to do that.

It's your responsibility to see that the scripts are properly written or else banished to pages where they belong so the browser doesn't complain about insecure content.

A case where relative protocols did not work. --->> We took on Authorize.NET and chewed them out because of their security badge causing Internet Explorer to pop up the insecure content warning during cart operations, the very place you want the badge to show so the customer knows their credit card info is being properly handled. They had the problem fixed within two weeks after we told them people were not ordering and actually complaining about site security when we showed their badge in the cart.

It was caused because the script they gave you at the time, which we tried to modify for relative protocol, then turned around and called yet another script that retrieved plain ole port 80 insecure content.

Facebook can go like itself on another page, it doesn't belong in cart operations (another script menace we had to deal with).

Answer 2

The customer would be correct - the page content is not secure.

If you hardcode protocols in markup or incorrectly specify protocols in code, the system delivers what you ask. It's incumbent on the implementer to make sure the markup is correct.

That said, asset sources can use relative protocols in markup:

<script src="//cdn.com/some.js"></script>

Also, secured/non-secured status can be passed dynamically to arguments.