javascriptvue.jshttpsmixed-content

What makes a browser load content from an http URL even when frontend source has an https URL?


my vue component is loading external content in an iframe

<iframe src="https://external-site" />

works fine locally, but once I deploy to my https site

Mixed Content: The page at 'https://my-site' was loaded over HTTPS, but requested an insecure frame 'http://external-site'. This request has been blocked; the content must be served over HTTPS.

network tab shows 2 requests, both have status (cancelled), and both have request url is HTTPS..


Solution

  • For general cases like redirecting URLs with no trailing slash to corresponding URLs with trailing slash added, some servers have broken configurations with http: hardcoded in the redirect — even if the server has other configuration that subsequently redirects all http URLs to https.

    For example, the case in the question had a URL https://tithe.ly/give?c=1401851 (notice the missing trailing slash) that was redirecting to http://tithe.ly/give/?c=1401851 (notice the http, no-https). So that’s where the browser stopped and reported a mixed-content error.

    That http://tithe.ly/give/?c=1401851 redirected to https://tithe.ly/give/?c=1401851 (https) in this case. So the fix for the problem in the question would be to change the request URL in the source to https://tithe.ly/give/?c=1401851 (with trailing slash included).

    If you were to open https://tithe.ly/give?c=1401851 (no trailing slash) directly in a browser, the chain of redirects described in this answer just happens transparently and so it looks superficially like the original URL is OK. That can leave you baffled about why it doesn’t work.

    Also: when you check the Network pane in browser devtools, it’s not going to readily show you the redirect chain, because as noted above, browsers follow redirects transparently — except when the chain has a non-https URL, causing the browser to stop, breaking the chain.

    So the general troubleshooting/debugging tip for this kind of problem is: Check the request URL using a command-line HTTP client like curl, and step through each of the redirects it reports, looking carefully at the Location response-header values; like this:

    $ curl -i https://tithe.ly/give?c=1401851
    …
    location: http://tithe.ly/give/?c=1401851
    …
    $ curl -i http://tithe.ly/give/?c=1401851
    …
    Location: https://tithe.ly/give/?c=1401851