7

I am having a weird mixed content request blocking issue from my web site and trust me I have beeing googling to resolve this issue for more than couple of months already.

I am using AngularJS1 as front-end and Spring boot as back-end.

When I access my website, sometimes randomly I got the below error:

Mixed Content: The page at http://mywebsite was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://mywebsite.com/'. This request has been blocked; the content must be served over HTTPS.

chrome developer network console

blocked request header

But this problem goes away when I refresh or reload the page. After that, everything is working perfectly as expected because I am not using any HTTP ajax call but only internal HTTPS ajax call.

I even checked whether my website has some request using "http" using third-party tool and my website was clean.

This issue does not happen all the time. It happens randomly but it will always go away if I refresh the page.

Please please help me solve this issue.

============== Updated status as of 27th of March, 2018 =================

I am still suffering from the same issue although I did a workaround. I added errorCallBack that catches all errors except HTTP 500 error for the Ajax call that reloads the page only once so that the page gets reloaded which resolved the issue.

But this should not be a solution. Please help me anyone.

Jake Kim
  • 112
  • 7
  • @codtex thanks for commenting. Actually I am not doing HTTP AJAX request at all. I am only calling HTTPS internal AJAX call. That is why I am so confused. – Jake Kim Sep 14 '17 at 08:23
  • I'm sorry mate, I've missed that point in the beginning. I think you should somehow figure out when this is happening, I think it is not happening on a random base and something must cause it. Could you also post the code where you do the AJAX request? – codtex Sep 14 '17 at 08:56
  • Please anyone? :( – Jake Kim Mar 27 '18 at 10:01
  • Well a mere few screenshots don’t give us any chance to figure out what might actually be going on. So the only suggestion I have at this point, would be to go look at the Initiator column in network panel, and see if that can help narrow down which part of your app causes those requests to begin with. – CBroe Mar 27 '18 at 10:17
  • Post the code of the AJAX request that is causing the trouble. Do you build the request url dynamically ? If something is forcing `jquery.ajax` to use **http** protocol instead of **https** _(which is very strange)_ you can try to do your AJAX call with the native `XMLHttpRequest` – codtex Mar 28 '18 at 07:09
  • This is very, very strange. I'm suddenly getting the same error from ajax requests made from within promises. And I'm not serving any content over http. Adding the meta directive to upgrade blocked content made it work but I'd still like to know why those ajax requests are being blocked. – VH-NZZ Dec 10 '18 at 08:59
  • As it turns out, it was a case of the http server responding with a 301 redirect for resources with a trailing slash whilst behind an https reverse proxy (and not being aware of it). Forcing the server to consider what scheme it is under for the redirect solved the issue. Some things are just meant to be learned the hard way. – VH-NZZ Dec 10 '18 at 18:37

1 Answers1

0

You can try this:-

<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests" />

Or

<meta http-equiv="Content-Security-Policy" content="block-all-mixed-content" />

Paste it in <head>...</head> tags.

The HTTP Content-Security-Policy (CSP) block-all-mixed-content directive prevents loading any assets using HTTP when the page is loaded using HTTPS.

All mixed content resource requests are blocked, including both active and passive mixed content. This also applies to <iframe> documents, ensuring the entire page is mixed content free.

The upgrade-insecure-requests directive is evaluated before block-all-mixed-content and If the former is set, the latter is effectively a no-op. It is recommended to set one directive or the other – not both.

S.G.
  • 182
  • 2
  • 12