3

I added the following HTML to the head section of my blogger.com theme.

<link href='https://alexgorbatchev.com/pub/sh/current/styles/shCore.css' rel='stylesheet' type='text/css'> 
<link href='https://alexgorbatchev.com/pub/sh/current/styles/shThemeDefault.css' rel='stylesheet' type='text/css'> 
<script src='https://alexgorbatchev.com/pub/sh/current/scripts/shCore.js' type='text/javascript'></script>
<script src='https://alexgorbatchev.com/pub/sh/current/scripts/shBrushCpp.js' type='text/javascript'></script>
<script src='https://alexgorbatchev.com/pub/sh/current/scripts/shBrushCSharp.js' type='text/javascript'></script>
<script src='https://alexgorbatchev.com/pub/sh/current/scripts/shBrushCss.js' type='text/javascript'></script>
<script src='https://alexgorbatchev.com/pub/sh/current/scripts/shBrushJava.js' type='text/javascript'></script>
<script src='https://alexgorbatchev.com/pub/sh/current/scripts/shBrushJScript.js' type='text/javascript'></script>
<script src='https://alexgorbatchev.com/pub/sh/current/scripts/shBrushPhp.js' type='text/javascript'></script>
<script src='https://alexgorbatchev.com/pub/sh/current/scripts/shBrushPython.js' type='text/javascript'></script>
<script src='https://alexgorbatchev.com/pub/sh/current/scripts/shBrushRuby.js' type='text/javascript'></script>
<script src='https://alexgorbatchev.com/pub/sh/current/scripts/shBrushSql.js' type='text/javascript'></script>
<script src='https://alexgorbatchev.com/pub/sh/current/scripts/shBrushVb.js' type='text/javascript'></script>
<script src='https://alexgorbatchev.com/pub/sh/current/scripts/shBrushXml.js' type='text/javascript'></script>
<script src='https://alexgorbatchev.com/pub/sh/current/scripts/shBrushPerl.js' type='text/javascript'></script>
<script language='javascript'> 
    SyntaxHighlighter.config.bloggerMode = true;
    SyntaxHighlighter.config.clipboardSwf = &#39;https://alexgorbatchev.com/pub/sh/current/scripts/clipboard.swf&#39;;
    SyntaxHighlighter.all();
</script>

But when I view a page via HTTP the browser tells me I am requesting insecure HTTP resources from a second HTTPS page.

https://mrpmorris.blogspot.co.uk/2017/06/loading-assembly-from-specific-path.html

If I right-click the alexgorbatchev link in the Chome Console and select Open in new link it takes me to an insecure page, if I add https:// to the start of the url it loads securely.

Why are Chrome and MS Edge trying to fetch these resources via http when the markup explicitly indicates https?

Peter Morris
  • 20,174
  • 9
  • 81
  • 146
  • Anything to do with the clipboardSwf url being enclosed in html entitized quotes? – pinkfloydx33 Jul 01 '17 at 23:27
  • Faced the same issue for quite some time now([blog](https://opensourceforgeeks.blogspot.com/)). CDN solution works quite well for this problem, though I doubt how version management would work. – Aniket Thakur May 16 '20 at 15:23

2 Answers2

5

I was facing the same issue with my blog.

I replaced below piece of code:

<link href='https://alexgorbatchev.com/pub/sh/current/styles/shCore.css' rel='stylesheet' type='text/css'/>
<link href='https://alexgorbatchev.com/pub/sh/current/styles/shThemeEclipse.css' rel='stylesheet' type='text/css'/>
<script src='https://alexgorbatchev.com/pub/sh/current/scripts/shCore.js' type='text/javascript'/>
<script src='https://alexgorbatchev.com/pub/sh/current/scripts/shBrushJava.js' type='text/javascript'/>
<script src='https://alexgorbatchev.com/pub/sh/current/scripts/shBrushXml.js' type='text/javascript'/>

With the below one:

<link href='https://cdnjs.cloudflare.com/ajax/libs/SyntaxHighlighter/3.0.83/styles/shCore.css' rel='stylesheet' type='text/css'/>
<link href='https://cdnjs.cloudflare.com/ajax/libs/SyntaxHighlighter/3.0.83/styles/shThemeEclipse.css' rel='stylesheet' type='text/css'/>
<script src='https://cdnjs.cloudflare.com/ajax/libs/SyntaxHighlighter/3.0.83/scripts/shCore.js' type='text/javascript'/>
<script src='https://cdnjs.cloudflare.com/ajax/libs/SyntaxHighlighter/3.0.83/scripts/shBrushJava.js' type='text/javascript'/>
<script src='https://cdnjs.cloudflare.com/ajax/libs/SyntaxHighlighter/3.0.83/scripts/shBrushXml.js' type='text/javascript'/>

And now my blog stopped throwing that error of insecure content blocked. Because now all the content is served over https and that too by one of the best cdn in the world.

akjprajapati
  • 138
  • 2
  • 9
  • Please find your content here -- https://cdnjs.com/libraries/SyntaxHighlighter – akjprajapati Nov 14 '19 at 16:35
  • Who maintains this? Original links always point to `current` which means when the latest version is released we get it but with this, we have to manually update it? Also, will old versions be ever taken down? – Aniket Thakur May 16 '20 at 15:14
4
$ curl -I https://alexgorbatchev.com/pub/sh/current/scripts/shBrushPerl.js -k
HTTP/1.1 302 Moved Temporarily
...
Location: http://agorbatchev.typepad.com/pub/sh/3_0_83/scripts/shBrushPerl.js
...

You can see that it's actually being redirected to TypePad.com. There's a "cool" story behind this. Back in the dark days when bandwidth was expensive, I was getting 100s of GBs of traffic on these scripts, which was starting to cost over $100 a month. I moved the files to free hosting service, but I didn't want all existing links to alexgorbatchev.com to break, and so I set up redirects.

I should probably fix the redirect to use the same protocol as the request :)

alex
  • 2,036
  • 2
  • 16
  • 19
  • Thank you, for both the library and your answer! – Peter Morris Jul 03 '17 at 19:46
  • @alex - have you by chance hosted these securely without an underlying redirect? I'm having the same issue and my blog which uses your SyntaxHighlighter (thank you) will not load properly over http. – atconway Sep 19 '18 at 03:00
  • 1
    @alex - have you by chance hosted these securely without an underlying redirect? – Pratham Jun 29 '19 at 10:17
  • @alex could you please fix these ones also ? 'http://agorbatchev.typepad.com/pub/sh/3_0_83/scripts/shCore.js' 'http://agorbatchev.typepad.com/pub/sh/3_0_83/styles/shThemeEclipse.cs' 'http://agorbatchev.typepad.com/pub/sh/3_0_83/scripts/shBrushJava.js' 'http://agorbatchev.typepad.com/pub/sh/3_0_83/scripts/shBrushXml.js'. the content must be served over HTTPS. – akjprajapati Nov 12 '19 at 07:04
  • Looks like lot of people use this. It would be good to make this work for https as well. Also, looks like it is currently down. It gives `404 Not Found nginx/1.4.6 (Ubuntu)`. CDN seems better option here as it caches it, but comes with drawback of updating versions manually (Unless we can have something like `current` version). – Aniket Thakur May 16 '20 at 15:18