NoScript has a feature in its advanced section to force certain domains to always go over HTTPS.
Firefox 23+ has a feature to block mixed content (plaintext requests from HTTPS origin).
Problem no. 1: even if I use NoScript's HTTPS forcing feature, Firefox won't show the padlock and still complains about mixed content.
Problem no. 2: if I turn on the mixed content blocker, it runs first and blocks everything before NoScript gets a chance to do its rewriting.
Any thoughts on how to proceed to make these work? Ideally I'd prefer if Firefox had a built-in force https feature, but since it doesn't, NoScript's is the next best thing, but right now it's interacting with Firefox in this undesirable way.
Forced HTTPS vs mixed content
Forced HTTPS vs mixed content
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0
Re: Forced HTTPS vs mixed content
> no. 1:
URL where this occurs?
Reference: Bug 844556 - [tracking] compatibility issues with mixed content blocker on non-Mozilla websites
URL where this occurs?
Reference: Bug 844556 - [tracking] compatibility issues with mixed content blocker on non-Mozilla websites
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20100101 SeaMonkey/2.21a2
Re: Forced HTTPS vs mixed content
Just checking: are all of the resources actually being caught by the Force HTTPS feature? Ie you're definitely catching all of the affected domains?
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:21.0) Gecko/20100101 Firefox/21.0
-
mattmccutchen
- Posts: 9
- Joined: Mon Mar 23, 2009 12:26 am
Re: Forced HTTPS vs mixed content
I have the same problem on https://www.elmoto.net/ : specifically, CSS files show mixed content errors, while js, png, and gif files all seem to be redirected fine. I'm using NoScript 2.6.8.17 with Firefox 27.0.1 (Fedora 20), and I have a HTTPS rule for www.elmoto.net . The Firebug console shows (one line removed because it tripped the forum spam filter):
Blocked loading mixed active content "http://www.elmoto.net/clientscript/vbul ... 1391981016"
Blocked loading mixed active content "http://www.elmoto.net/clientscript/vbul ... 1391981016"
Blocked loading mixed active content "http://www.elmoto.net/clientscript/vbul ... 1391981016"
Blocked loading mixed active content "http://www.elmoto.net/clientscript/vbul ... 1391981016"
Blocked loading mixed active content "http://www.elmoto.net/clientscript/vbul ... 1391981016"
Blocked loading mixed active content "http://www.elmoto.net/clientscript/vbul ... 1391981016"
Mozilla/5.0 (X11; Linux x86_64; rv:27.0) Gecko/20100101 Firefox/27.0
-
Giorgio Maone
- Site Admin
- Posts: 9526
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: Forced HTTPS vs mixed content
Looking for a work around, thanks.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
Re: Forced HTTPS vs mixed content
Maybe Firefox should give users the option of either blocking mixed content or forcing it to HTTPS (which will have the same effect if HTTPS is not available, but will fix the problem when it is available).
Anyone know whether there is a bug for this?
EDIT: Bug is here.
Anyone know whether there is a bug for this?
EDIT: Bug is here.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:27.0) Gecko/20100101 Firefox/27.0
Re: Forced HTTPS vs mixed content
Well, there is this bug, which points out that the same issue occurs with "mixed content" that is actually secured by HSTS.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:27.0) Gecko/20100101 Firefox/27.0