SSL: Why does Chrome report mixed content? (Drupal 6)

Question

I've just got a site running nicely with the whole site running through SSL, but Google Chrome is throwing a "This page contains some insecure elements" message, which isn't good in terms of end user trust-ability. All other browsers work fine, and give the golden padlock.

The site is a Drupal 6 e-commerce site, running on apache2, and the error appears in the front end as well as the admin area.

Does anyone know of any methods to find out exactly which elements are being considered insecure?

Edit: I've used Fiddler to check the traffic, and it really is all HTTPS. It even complains on the site holding page, which is very light and has no javascript etc on it...

score 15 · Accepted Answer · answered Sep 17 '09 at 10:57

15

It could be a browser issue? Have you tried restarting, or clearing all of your cache?

answered Sep 17 '09 at 10:57

Tisch

2,598
4
27
34

2

Wow, yes this was it. Restarted chrome and it works. – jsims281 Sep 17 '09 at 11:01

score 14 · Answer 2 · edited Mar 05 '12 at 23:53

14

In Chrome, this is trivial. Hit ctrl+shift+j to open the developer tools, and it will plainly list the URL of the insecure content.

Try it on https://www.fiddler2.com/test/securepageinsecureimage.htm, for instance.

edited Mar 05 '12 at 23:53

Dustin Kirkland

5,323
3
36
34

answered Sep 17 '09 at 14:51

EricLaw

56,563
7
151
196

N.B. it's the console in particular that is useful: Chrome prints mixed content errors there directly. ctrl-shift-j takes you straight to the console - as opposed to ctrl-shift-i which just opens the dev tools. – Ben Challenor Jun 13 '12 at 12:20

score 2 · Answer 3 · answered Aug 14 '11 at 05:22

I just had a similar problem. Turns out it was a hardcoded background image URL in a CSS file.

You should particularly check any 3rd party stylesheets you are using, as they may hotlink to an image on another server.

Easy solution? Save those images to your server and change the URLs to relative paths in the CSS file.

Hope this helps!

score 1 · Answer 4 · answered Sep 17 '09 at 10:16

1

Search the source for http:? Something like <Ctrl-U> <Ctrl-F> http: in firefox should do.

The insecure element is something loaded over insecure — non-https — connection, e.g. image, stylesheet, etc. you obviously need fully qualified URL to load insecure element/

answered Sep 17 '09 at 10:16

Michael Krelin - hacker

138,757
24
193
173

done that, there is only the links to: Taking those out doesn't fix the problem... – jsims281 Sep 17 '09 at 10:21
could it be that stylesheet imports another stylesheet or some script-generated content? – Michael Krelin - hacker Sep 17 '09 at 10:32
Hmm, there is some styling being done with jquery, but still, all the actual files are coming through https ... looking into this possibility as we speak – jsims281 Sep 17 '09 at 10:45

score 1 · Answer 5 · answered Sep 17 '09 at 10:18

1

Use Firebug plugin of Firefox. In the NET tab all file locations are shown clearly. Try to find any files that are obtained from http protocol.

answered Sep 17 '09 at 10:18

Cem Kalyoncu

14,120
4
40
62

1

Good idea, I've just checked through all the files, and every one is HTTPS. Really scratching my head about this one... – jsims281 Sep 17 '09 at 10:35
I've likewise found every file is https in the Network tab in Chrome, yet see the https broken in Chrome, with it reporting this is due to mixed scripting. I've looked through all my – tog22 Dec 02 '11 at 17:40

score 1 · Answer 6 · answered Jun 24 '10 at 18:49

1

It's probably related to this bug:

http://code.google.com/p/chromium/issues/detail?id=24152

Which is why a restart fixed it.

answered Jun 24 '10 at 18:49

jvinet

86
3

SSL: Why does Chrome report mixed content? (Drupal 6)

6 Answers6

Linked