Mixed content warning due to SSL

  • 5
  • Problem
  • Updated 5 years ago
When accessing NewsBlur through the secure https version, modern browsers like Chrome and Firefox throw a mixed content warning, which actually means that insecure content is embedded in the secure website. Browsers also don't load insecure content then without confirmation.

Chrome help says: "The site uses SSL, but Google Chrome has detected insecure content on the page."

This is a completely valid concern since the insecure content could hijack the otherwise secure connection. E.g. SVG image files could contain JavaScript.

Blocked loading of insecure files is documented in the browsers console. It includes feed icons and especially all stylesheets for the "original" view. This is even a problem when the original website uses SSL, too, because NewsBlur still only uses the http protocol.

I know this might not the easiest problem, but should be fixed. Otherwise the SSL mode is partly broken and doesn't make that much sense. If fixed you should think about moving https-only, like Google does. The overhead is minimal (≤ 1%), but you'll get security and user trust.
Photo of e2b

e2b

  • 29 Posts
  • 1 Reply Like

Posted 6 years ago

  • 5
Photo of Samuel Clay

Samuel Clay, Official Rep

  • 6514 Posts
  • 1474 Reply Likes
Harder than it sounds. Content is coming from all over and much of it is not https. I've tried to make all of NewsBlur load https-only, but third party images are the big problem.
Photo of e2b

e2b

  • 29 Posts
  • 1 Reply Like
I see.

If you embed the http://www.newsblur.com/reader/page/1234 iframe without https, it loads but can't communicate with your root site anymore. Have you tried using cross-document messaging? It seems widely supported these days.

- http://www.html5rocks.com/en/tutorial...
- https://developer.mozilla.org/en-US/d...
- http://caniuse.com/#feat=x-doc-messaging
Photo of bitsculptor

bitsculptor

  • 5 Posts
  • 0 Reply Likes
The strange thing about this is it carries over to other pages I visit in the same tab (on Chrome.) If I have newsblur open and use a bookmark to jump to a site with https, the mixed security warning shows on the destination page (until I reload it.)

I'm also greeted with the same situation whenever I use any of the integrated sharing features. These pages show the mixed content warning even though they're opening in a new tab. I have to refresh the page to get a green padlock. If I turn off https in newsblur, the sharing features don't exhibit the mixed security warning.

I don't get why it would carry over to a completely different page. Not a big deal. I've gotten used to refreshing. But if that part is easily remedied, it would remove a minor hassle.
Photo of 9ttL2DurVffs

9ttL2DurVffs

  • 34 Posts
  • 1 Reply Like
Icons are still being loaded from http://icons.newsblur.com/ rather than a TLS-secured server. Is there a fix planned?
Photo of John Morahan

John Morahan

  • 86 Posts
  • 27 Reply Likes
They're actually available over HTTPS already, from https://s3.amazonaws.com/icons.newsbl... - perhaps it would be possible to use that URL when HTTPS is enabled?
Photo of 9ttL2DurVffs

9ttL2DurVffs

  • 34 Posts
  • 1 Reply Like
They're available, yes, but the NewsBlur source contains references to HTTP URIs instead, which is triggering Firefox' mixed content protection. HTTPS-Everywhere doesn't trigger early enough to be a fix, either.

Until the URIs are HTTPS instead, it's not fixed.
Photo of John Morahan

John Morahan

  • 86 Posts
  • 27 Reply Likes
I know :-) That comment was directed at Samuel, sorry for not making that clear.
Photo of 9ttL2DurVffs

9ttL2DurVffs

  • 34 Posts
  • 1 Reply Like
Right. Thanks.
Photo of phh0c

phh0c

  • 1 Post
  • 0 Reply Likes
I would also like to request icons.newsblur.com to be served over HTTPS. With the use of requestpolicy and noscript, this should get rid of the mixed content warning.
Photo of Samuel Clay

Samuel Clay, Official Rep

  • 6514 Posts
  • 1474 Reply Likes
Good news, I went through all user profiles and scrubbed out the non-https. So now everything should load with https with no mixed content warnings. However, the second you load a site and it pulls from http, all bets are off.

The real answer is to rewrite feeds to move images behind a https proxy server. I hear that's not terribly expensive, but it's a whole kettle of work to do.
Photo of 9ttL2DurVffs

9ttL2DurVffs

  • 34 Posts
  • 1 Reply Like
Do you mean that we should do it, or that you're considering your own implementation?
Photo of pxlmsc

pxlmsc

  • 45 Posts
  • 1 Reply Like
I'm already a paying user but proxying feeds and images so that I don't get tracked by the original websites is definitively something I would pay for.
Photo of xumivonorovim

xumivonorovim

  • 16 Posts
  • 0 Reply Likes
I am seeing non-HTTPS requests to http://newsblur.com/media/img/icons/c...
Photo of xumivonorovim

xumivonorovim

  • 16 Posts
  • 0 Reply Likes
It seems the request for an icon where a feed has no favicon redirects to a non-HTTPS icon.

eg.

https://newsblur.com/rss_feeds/icon/9...

GET /rss_feeds/icon/99177 HTTP/1.1
Host: newsblur.com
[...]

Returns:

HTTP/1.1 302 Moved Temporarily
Server: nginx/1.4.1
Date: Sun, 10 Aug 2014 19:43:45 GMT
Content-Type: text/html
Transfer-Encoding: chunked
X-Powered-By: Express
Location: http://newsblur.com/media/img/icons/c...
[...]
Photo of Samuel Clay

Samuel Clay, Official Rep

  • 6514 Posts
  • 1474 Reply Likes
Yeah, I noticed this too. I'm working on a fix. Turns out this didn't happen on my staging server so I shipped it. I gotta figure out why the icon proxy is switching to http.
Photo of Samuel Clay

Samuel Clay, Official Rep

  • 6514 Posts
  • 1474 Reply Likes
Fixed.
Photo of 9ttL2DurVffs

9ttL2DurVffs

  • 34 Posts
  • 1 Reply Like
Samuel, thanks for taking care of this.
Photo of xumivonorovim

xumivonorovim

  • 16 Posts
  • 0 Reply Likes
Great, thanks! :-)