Author Topic: Insercure Content Blocked - But can't find the reason  (Read 782 times)

Offline tschiemer

  • Posts: 62
    • NVious Designs
Insercure Content Blocked - But can't find the reason
« on: April 26, 2019, 08:51:33 PM »
https://www.mob-traffic.com/
 
We have recently made one of our client sites secure using an SSL and changed everything over to https://.  All is working on the front end and back end except that there is a warning on mixed content. 

---

Mixed Content: The page at 'https://www.mob-traffic.com/' was loaded over HTTPS, but requested an insecure script 'http://www.mob-traffic.com/'. This request has been blocked; the content must be served over HTTPS.

(index):1 Mixed Content: The page at 'https://www.mob-traffic.com/' was loaded over HTTPS, but requested an insecure image 'http://www.mob-traffic.com/'. This content should also be served over HTTPS.

-----

I have checked all the scripts in the code, in the pages, in the template files, etc and all links are either relative to the file location, like images, or linking to the https:// location.  Nothing comes up as a red flag when we review the files. 

So, I used WhyNoPadlock.com to try and find the issues and numerous come up, but all they reference is the line of code, not the file it comes from.  All the lines referenced in the template or pages are correctly changed to https or relative, so this must be coming from something else, like from the Admin. Here are the Test Results from WhyNo:
https://www.whynopadlock.com/results/9a38b250-c782-427b-8757-01431fa97c65

Is there something I am suppose to do to make a Website Baker site fully secure and have all the files, even the admin, pull from https:?  Because everything we have put in for the page content, art and templates are right... there is something I am missing and I just don't know what it is, please help.

Another side note, I am about to upgrade all our sites to 2.12.1 from 2.8.3 sp7.  Would this help solve the issue ?


Offline dbs

  • Betatester
  • **
  • Posts: 8036
  • Gender: Male
  • tioz4ever
    • WebsiteBaker - jQuery-Plugins - Module - Droplets - Tests
Re: Insercure Content Blocked - But can't find the reason
« Reply #1 on: April 26, 2019, 09:24:53 PM »
Hi, you have tried to change the GA code in the head of index.php of the template? There is one http:
Maybe this is the problem.
Code: [Select]
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';

Offline CodeALot

  • Posts: 437
  • Gender: Male
Re: Insercure Content Blocked - But can't find the reason
« Reply #2 on: April 26, 2019, 09:39:50 PM »
I think(!) that https://www.mob-traffic.com/templates/mob-traffic-new/p7pm/p7popmenu.js does not exist and that your 404 points to a http:// page.


Offline evaki

  • Posts: 2754
Re: Insercure Content Blocked - But can't find the reason
« Reply #3 on: April 27, 2019, 10:59:56 AM »
 :? -www.mob-traffic.com/php.ini // -www.mob-traffic.com/info.php   :-o
Broken Links:
/templates/mob-traffic-new/fonts/roboto/Roboto-Bold.woff2
/templates/mob-traffic-new/fonts/roboto/Roboto-Light.woff2
/templates/mob-traffic-new/fonts/roboto/Roboto-Medium.woff2
/templates/mob-traffic-new/fonts/roboto/Roboto-Regular.woff2
/templates/mob-traffic-new/fonts/roboto/Roboto-Thin.woff2
/templates/mob-traffic-new/p7pm/p7popmenu.js
Code: [Select]
Check: www.ssllabs.com/ssltest/analyze.html?d=www.mob-traffic.comReg./MfG. Evaki

« Last Edit: April 27, 2019, 11:14:54 AM by evaki »

Offline evaki

  • Posts: 2754
Re: Insercure Content Blocked - But can't find the reason
« Reply #4 on: April 27, 2019, 11:34:07 AM »
Code: [Select]
Cookie Not Marked as Secure
URL  https://www.mob-traffic.com/ 
Identified Cookie(s)  wb_8369-sid 

Cookie Not Marked as HttpOnly
URL  https://www.mob-traffic.com/ 
Identified Cookie(s)  wb_8369-sid 
Code: [Select]
Misconfigured iframe: html5!!!
Example
https://www.mob-traffic.com/pages/services/request-an-estimate.php 
Frame Source(s)  https://services.cognitoforms.com/f/4bULkxa_90mHAtGHoNrkqQ?id=5 
Remedy
Apply sandboxing in inline frame
<iframe sandbox src="framed-page-url"></iframe>
For untrusted content, avoid the usage of seamless attribute and allow-top-navigation, allow-popups and allow-scripts in sandbox attribute.
https://html5sec.org/
Code: [Select]
Weak Ciphers Enabled
Attackers might decrypt SSL traffic between your server and your visitors.
Actions to Take
For Apache, you should modify the SSLCipherSuite directive in the httpd.conf.
« Last Edit: April 27, 2019, 11:45:29 AM by evaki »