[try Beta version]
Not logged in

 
Not Secure: Mixed Content

Mar 11, 2019 at 3:38am
I am updating my site because of Google.

When I first wrote it, google worked off of http. Now it works from https, and my site gives visitors a “Your connection to this site is not fully secure” warning because my search bar (press ESC to get to it) links to the old http://google stuff.

I am fixing that for all but ONE of the linked sites:

    http://ninjawords.com

Which leaves me in a bind. I can:
  • link to something stupid (like dictionary.com) instead, that is https
  • leave the link to the superior dictionary and have visitors wonder why my site is “insecure”


I know next to nothing about web programming... and all the information I can find to fix this either recommends some WordPress plugin or presupposes that the external resource actually exists in an https form.

AFAIU, NinjaWords cannot be made to reduce your security —the worst it does is keep a cookie with your search history. You cannot log in, etc. There’s nothing insecure about it. No secure data crosses the site boundary.


Does anyone know how to simply link to an external http site without triggering the browser’s oh no you’re on a site that wants to be secure but isn’t quite! stuff?

(There’s really nothing insecure about my site either. I just want the stupid lock icon, because not having it scares people.)
Mar 11, 2019 at 3:57am
Hm, anchor links to an external site shouldn't be causing the insecure/mixed content warning even if the target is using http because they aren't content that is rendered.

Could you give a bit more detail regarding the link? And possibly link to your site? IIRC if you open the developer panel a modern browser will be very specific about telling you what is causing it to consider the content to be "mixed".

(Also, regarding the "stupid lock icon": it isn't just about not scaring people, although if they are that is actually a rare case of standard internet security advice actually being listened to by laypeople! I'd google a bit about what HTTPS does since it isn't just for sites that do things you consider "need to be secured", and there are a lot of recommendations as to why. One example: https://doesmysiteneedhttps.com/ )
Mar 11, 2019 at 4:54am
anchor links to an external site shouldn't be causing the insecure/mixed content warning even if the target is using http because they aren't content that is rendered.
That is exactly what I thought.

Also, regarding the "stupid lock icon": it isn't just about not scaring people
Heh, yeah, I know it isn’t just stupid. For my site, there is nothing insecure to need securing, so the difference between http and https is... one has an 'S' on the end of it (and all the encrypted effort needed to request and serve the page involved underneath, of course).

Not complaining, I want https. But ATM it means nothing in terms of what the site actually serves...

    https://michael-thomas-greer.com

The developer panel specifically complains about the links to non-https sites (Google). I haven’t pushed the update yet, since I am looking at ninjawords.com.

If you Ctrl+U and scroll down to <!-- Search dialog --> you will see the default form action is to use Google — still with the http instead of https.

The m.min.js is minified, but the relevant JavaScript is (modified to https for everything but ninjawords; this correction has not yet been pushed to the online site):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
var Search = {

  //-----------------------------------------------------------------------------------------------
  // Search Engine ACTIVATE!
  go: function(engine) {
    var sform  = document.getElementById('searchform'),
        sinput = document.getElementById('search-input');
    // Yeah, because Wikipedia has to be different, "?q=quux" must be "?search=quux".
    sinput.name = 'q';
    switch (engine) {
      case 'lucky':      
      case 'google':     sform.action = 'https://www.google.com/search';        break;
      case 'images':     sform.action = 'https://www.google.com/images';        break;
      case 'wikipedia':  sform.action = 'https://en.wikipedia.org/wiki/';       
                         sinput.name  = 'search';                               break;
      case 'dictionary': sform.action = 'http://ninjawords.com';                break;
      case 'youtube':    sform.action = 'https://www.youtube.com/results';      break;
    }
    Search.dialog.hide(1);
  },

Press ESC on any page and you will see the search dialog popup in action.

Thanks for looking at it.
Mar 11, 2019 at 5:18am
Ah, you are not using anchor links here. You are creating a form that gets to an external site, which is a little different.

My Firefox didn't complain about your site having mixed content on the page itself (as it doens't).

When I tried to post that search form, however, it told me I was sending the request to an insecure (i.e., http) site. This is likely because the browser is looking at the actual content of the page, where you have filled in "http://wikipedia.whatever", and it sees http there. It is not taking into account the JS magic you have swapping out the form's action attribute before the submit actually occurs.

Therefore, I wager if you put "https://example.com/" or anything that looks secure in the action attribute, that notice will go away.

As I understand things, browsers warn about this specifically because forms tend to send data, and so the user is presumably more likely to want to know if they are sending data to an insecure site; this is as opposed to a link, which users usually expect to possibly go somewhere external and I assume that showing those kinds of warnings on ordinary links was going too far (i.e., would happen all the time and be annoying) in terms of warning users.

If you really want to get around this, you may be able to just programatically open a new tab using Javascript at the URL you have rather than using a form to send a get reqeust.

(Edit: I'll check around on Chrome and see if it complains about mixed content)
Last edited on Mar 11, 2019 at 5:21am
Mar 11, 2019 at 5:23am
Checking Chrome, it seems Chrome does read the action of that form and produce the mixed content warning. Above stuff I wrote should still apply.
Mar 11, 2019 at 6:54am
Ah, that makes perfect sense. Thank you for explaining it clearly.

I’ll spend some time tomorrow pushing the update and see if that doesn’t fix it.

Thank you!
Topic archived. No new replies allowed.