Portlets – Addressing Mixed Content Errors

Third-party Dashboard portlets, such as Facebook, Weather Channel, etc. may cause a mixed content scenario when secure (https) and insecure (http) content are both called into the same web page. This scenario is evident when the portlet added appears blank in the Dashboard screen.

Sometimes, an SSL-secured website (denoted by 'https' in its web address) loads parts of its content from insecure sources. Content from insecure sources can be viewed by others as a web page is loading and information is transmitting. Malicious parties could potentially modify these insecure sources and change the look and behavior of the web page without your knowledge or consent.

Disclaimer:

Displaying mixed content requires changes to your browser settings that are not suggested for standard internet usage. These portlets have been provided by development for usage but they are publicly available widgets that use HTTP protocol. The user assumes the responsibility of doing their due diligence to ensure that they are able to use these safely as usage in OPERA Cloud causes a mixed protocol content scenario which is normally flagged on a publicly available website.

All browsers have some methodology that they use to manage this occurrence. We have outlined the mitigation steps for three of the major available browsers below.

Dashboard Portlets - Mixed Protocol Content - Chrome browser The URL in the address bar will show the "https" crossed out, indicating that content on the web page is mixed and not fully secure. A security shield icon will appear in the address bar when mixed protocol content is detected.

Issue *

Websites that ask for sensitive information, such as usernames and passwords, often use secure connections to transmit content to and from the computer you're using. If you're visiting a site via a secure connection, Google Chrome will verify that the content on the web page has been transmitted safely. If it detects certain types of content on the page coming from insecure channels, it can automatically prevent the content from loading and you'll see a shield icon appearing in the address bar. By blocking the content and possible security gaps, Chrome protects your information on the page from falling into the wrong hands.

As a result, parts of the

page may not display when Chrome blocks the insecure content.

To enable the insecure content

Although not recommended, you can choose to override the alert for the page by selecting Load unsafe script. Chrome will refresh the page and load its content, including any insecure content. The URL in the address bar will show to indicate that the page is not fully secure.

Chrome browser - load unsafe script

Advanced tips

You can choose to block certain types of web content, such as JavaScript and images, for all sites by visiting your Settings page. See more information on adjusting your web content settings.

Although not recommended, you can also use the command line flag --allow-running-insecure-content to prevent Chrome from checking for insecure content. Instructions on how to add a command line flag can be found on the Chromium site (English only).

^* Excerpts from "This page has insecure content."Retrieved 6 May 2014.

^† screenshots in these examples are taken from Chrome Version 34.0.1847.131 m

Dashboard Portlets - Mixed Protocol Content - Firefox browser A security shield icon will appear in the address bar when mixed protocol content is detected.

Issue *

If the HTTPS page you visit includes HTTP content, the HTTP portion can be read or modified by attackers, even though the main page is served over HTTPS. When an HTTPS page has HTTP content, we call that content “mixed”. The page you are visiting is only partially encrypted and even though it appears to be secure, it isn't.

When you see the shield icon in the address bar, it means that Firefox has blocked content that is insecure.

As a result, parts of the page may not display.

To enable the insecure content in Firefox

Although not recommended, you can unblock the insecure content by selecting "Disable Protection on This Page" from the drop down box.

Firefox browser - mixed content blocking options

Firefox will then load the web page including any insecure content. The lock icon in the address bar will be replaced with an orange warning triangle icon to remind you that insecure content is being displayed.

Firefox orange triangle mixed content reminder icon

To revert the previous action (block mixed content), open the web page in a new tab.

Using a Firefox Add On to Block or Display Mixed Content

As an alternative, a Firefox add on extension (Toggle Mixed Active Content) can be installed, which toggles the preference of blocking mixed active content on the web page.

Firefox Mixed Active Content Add on Extension installed

The add-on can be toggled on or off by selecting the Add-on icon.

	Green = Block insecure content
	Red = Display insecure content

^* Excerpts from "How does content that isn't secure affect my safety?" Retrieved 7 May 2014.

^† screenshots in these examples are taken from Firefox Version 29.0

Internet Explorer - Option to display insecure content

When viewing a website in Internet Explorer 9 or later, you receive a message that says "Only secure content is displayed."

Issue *

This message is telling you that there may be both secure and non-secure content on the page. Secure and non-secure content, or mixed content, means that a webpage is trying to display elements using both secure (HTTPS/SSL) and non-secure (HTTP) web server connections. This often happens with online stores or financial sites that display images, banners, or scripts that are coming from a server that is not secured. The risk of displaying mixed content is that a non-secure webpage or script might be able to access information from the secure content.

As a result, parts of the page may not display when Chrome blocks the insecure content.

To show the insecure content

Although not recommended, you can choose to override the blocked content by selecting Show All Content.

Internet Explorer - Show All Content button

To Disable the Mixed Content Block Setting

Internet Explorer blocks non-secure content by default and is set to prompt you when this is happening. Changing this setting may make your computer vulnerable to viral, fraudulent or malicious attacks. Microsoft does not recommend that you attempt to change this setting. Modify this setting at your own risk.

Please see the following web page for instructions on how to change this setting and disable this feature for a particular zone in Internet Explorer.

http://support.microsoft.com/kb/2625928

Note: When this setting is set to Enable, Internet Explorer does not prompt you with the "Only secure content is displayed" message even if the web page is using non-secure elements.

It is recommended that OPERA Cloud is added to the Trusted Sites zone along with the root site http://www.gmodules.com/ which is the root of the HTTP request that the Portlets use to initiate the widgets. (Select the thumbnail below to view the browser console log screenshot .)


View Larger

^* Excerpts from “Only secure content is displayed” notification in Internet Explorer 9 or later Retrieved 7 May 2014.

^† screenshots in these examples are taken from Internet Explorer version 11.0.9600.17041

Dashboard Portlets - Mixed Protocol Content - Safari browser A lock icon will appear in the address bar when visiting a secure website. No lock appears here when mixed protocol content is detected.

Issue *

Safari displays a lock icon at the top of the Safari window or in the address field when you are visiting a secure website.

Safari does not show a warning message for websites with mixed content. Instead, when Safari detects a secure website that contains insecure content, the lock icon is missing from the top of the Safari window in the address field.

Dashboard Portlets - Mixed Protocol Content - Safari browser - Mixed Content Detected The lock icon does not show in the address bar when mixed protocol content is detected.

You can view warning messages for the insecure content in the error console.

To View the Warning Message in the Error Console

1. Select the Develop menu, and then select Show Error Console

Safari - Develop menu > Show Error Console

2. You can view the warnings using the default view (All) or you can select Warnings.

Safari Error Console - Warnings

See the example warning below:


View Larger

Ask Before Sending A Non-Secure Form From A Secure Website

Sometimes an otherwise secure website may fail to provide a secure way to submit a form, such as one containing your password or credit card number. Safari displays a message when this is about to happen, so you can cancel.

To enable/disable this message:

1. Select Settings > Preferences

Safari - Settings > Preferences

2. Select the Security Tab, and then either select or unselect Ask before sending a non-secure form to a secure website

Safari option - Ask before sending a non-secure form to a secure website

* Excerpts from:

Safari Help "What is the lock icon?" Retrieved 28 May 2014.

http://support.apple.com/kb/ph5004 Retrieved 28 May 2014.

† screenshots in these examples are taken from Safari version 5.1.7.

There are several reason why blank portlets may occur. This document, while dealing with the most frequent cause, does not address any other scenario. If users are experiencing blocked portlets they should go to console mode in the browser and try invoking the portlets individually. The blocked calls to the portlet URLs will look like the following: