[SOLVED] Why is SyntaxHighlighter being fetched via HTTP from blogger.com

Why is SyntaxHighlighter being fetched via HTTP from blogger.com

I added the following HTML to the head section of my blogger.com theme.

<link href='https://alexgorbatchev.com/pub/sh/current/styles/shCore.css' rel='stylesheet' type='text/css'> 
<link href='https://alexgorbatchev.com/pub/sh/current/styles/shThemeDefault.css' rel='stylesheet' type='text/css'> 
<script src='https://alexgorbatchev.com/pub/sh/current/scripts/shCore.js' type='text/javascript'></script>
<script src='https://alexgorbatchev.com/pub/sh/current/scripts/shBrushCpp.js' type='text/javascript'></script>
<script src='https://alexgorbatchev.com/pub/sh/current/scripts/shBrushCSharp.js' type='text/javascript'></script>
<script src='https://alexgorbatchev.com/pub/sh/current/scripts/shBrushCss.js' type='text/javascript'></script>
<script src='https://alexgorbatchev.com/pub/sh/current/scripts/shBrushJava.js' type='text/javascript'></script>
<script src='https://alexgorbatchev.com/pub/sh/current/scripts/shBrushJScript.js' type='text/javascript'></script>
<script src='https://alexgorbatchev.com/pub/sh/current/scripts/shBrushPhp.js' type='text/javascript'></script>
<script src='https://alexgorbatchev.com/pub/sh/current/scripts/shBrushPython.js' type='text/javascript'></script>
<script src='https://alexgorbatchev.com/pub/sh/current/scripts/shBrushRuby.js' type='text/javascript'></script>
<script src='https://alexgorbatchev.com/pub/sh/current/scripts/shBrushSql.js' type='text/javascript'></script>
<script src='https://alexgorbatchev.com/pub/sh/current/scripts/shBrushVb.js' type='text/javascript'></script>
<script src='https://alexgorbatchev.com/pub/sh/current/scripts/shBrushXml.js' type='text/javascript'></script>
<script src='https://alexgorbatchev.com/pub/sh/current/scripts/shBrushPerl.js' type='text/javascript'></script>
<script language='javascript'> 
    SyntaxHighlighter.config.bloggerMode = true;
    SyntaxHighlighter.config.clipboardSwf = &#39;https://alexgorbatchev.com/pub/sh/current/scripts/clipboard.swf&#39;;
    SyntaxHighlighter.all();
</script>

But when I view a page via HTTP the browser tells me I am requesting insecure HTTP resources from a second HTTPS page.

https://mrpmorris.blogspot.co.uk/2017/06/loading-assembly-from-specific-path.html

If I right-click the alexgorbatchev link in the Chome Console and select Open in new link it takes me to an insecure page, if I add https:// to the start of the url it loads securely.

Why are Chrome and MS Edge trying to fetch these resources via http when the markup explicitly indicates https?

Solution

$ curl -I https://alexgorbatchev.com/pub/sh/current/scripts/shBrushPerl.js -k
HTTP/1.1 302 Moved Temporarily
...
Location: http://agorbatchev.typepad.com/pub/sh/3_0_83/scripts/shBrushPerl.js
...

You can see that it's actually being redirected to TypePad.com. There's a "cool" story behind this. Back in the dark days when bandwidth was expensive, I was getting 100s of GBs of traffic on these scripts, which was starting to cost over $100 a month. I moved the files to free hosting service, but I didn't want all existing links to alexgorbatchev.com to break, and so I set up redirects.

I should probably fix the redirect to use the same protocol as the request :)