Portlets – Addressing Mixed Content Errors
Third-party Dashboard portlets, such as Facebook, Weather Channel, etc. may cause a mixed content scenario when secure (https) and insecure (http) content are both called into the same web page. This scenario is evident when the portlet added appears blank in the Dashboard screen.
Dashboard Portlets appear blank when both secure and insecure content is called into the same web page (mixed protocol content scenario).
Mixed Content
Sometimes, an SSL-secured website (denoted by 'https' in its web address) loads parts of its content from insecure sources. Content from insecure sources can be viewed by others as a web page is loading and information is transmitting. Malicious parties could potentially modify these insecure sources and change the look and behavior of the web page without your knowledge or consent.
Disclaimer:
Displaying mixed content requires changes to your browser settings that are not suggested for standard internet usage. These portlets have been provided by development for usage but they are publicly available widgets that use HTTP protocol. The user assumes the responsibility of doing their due diligence to ensure that they are able to use these safely as usage in OPERA Cloud causes a mixed protocol content scenario which is normally flagged on a publicly available website.
To Control the Display of Mixed Content on Secure Web pages
All browsers have some methodology that they use to manage this occurrence. We have outlined the mitigation steps for three of the major available browsers below.
Chrome
The URL in the address bar will show the "https" crossed out, indicating that content on the web page is mixed and not fully secure.
A security shield icon will appear in the address bar when mixed protocol content is detected.
Issue *
Websites that ask for sensitive information, such as usernames and passwords, often use secure connections to transmit content to and from the computer you're using. If you're visiting a site via a secure connection, Google Chrome will verify that the content on the web page has been transmitted safely. If it detects certain types of content on the page coming from insecure channels, it can automatically prevent the content from loading and you'll see a shield icon appearing in the address bar. By blocking the content and possible security gaps, Chrome protects your information on the page from falling into the wrong hands.
As a result, parts of the
page may not display when Chrome blocks the insecure content.
To enable the insecure content
Although not recommended, you can choose to override the alert for the page by selecting Load unsafe script. Chrome will refresh the page and load its content, including any insecure content. The URL in the address bar will show to indicate that the page is not fully secure.
Advanced tips
You can choose to block certain types of web content, such as JavaScript and images, for all sites by visiting your Settings page. See more information on adjusting your web content settings.
Although not recommended, you can also use the command line flag --allow-running-insecure-content to prevent Chrome from checking for insecure content. Instructions on how to add a command line flag can be found on the Chromium site (English only).
Firefox
A security shield icon will appear in the address bar when mixed protocol content is detected.
Issue *
If the HTTPS page you visit includes HTTP content, the HTTP portion can be read or modified by attackers, even though the main page is served over HTTPS. When an HTTPS page has HTTP content, we call that content “mixed”. The page you are visiting is only partially encrypted and even though it appears to be secure, it isn't.
When you see the shield icon in the address bar, it means that Firefox has blocked content that is insecure.
As a result, parts of the page may not display.
To enable the insecure content in Firefox
Although not recommended, you can unblock the insecure content by selecting "Disable Protection on This Page" from the drop down box.
Firefox will then load the web page including any insecure content. The lock icon in the address bar will be replaced with an orange warning triangle icon to remind you that insecure content is being displayed.
To revert the previous action (block mixed content), open the web page in a new tab.
Using a Firefox Add On to Block or Display Mixed Content
As an alternative, a Firefox add on extension (Toggle Mixed Active Content) can be installed, which toggles the preference of blocking mixed active content on the web page.
The add-on can be toggled on or off by selecting the Add-on icon.
|
Green = Block insecure content
|
|
|
Red = Display insecure content
|
|
Internet Explorer
When viewing a website in Internet Explorer 9 or later, you receive a message that says "Only secure content is displayed."
Issue *
This message is telling you that there may be both secure and non-secure content on the page. Secure and non-secure content, or mixed content, means that a webpage is trying to display elements using both secure (HTTPS/SSL) and non-secure (HTTP) web server connections. This often happens with online stores or financial sites that display images, banners, or scripts that are coming from a server that is not secured. The risk of displaying mixed content is that a non-secure webpage or script might be able to access information from the secure content.
As a result, parts of the page may not display when Chrome blocks the insecure content.
To show the insecure content
Although not recommended, you can choose to override the blocked content by selecting Show All Content.
To Disable the Mixed Content Block Setting
Internet Explorer blocks non-secure content by default and is set to prompt you when this is happening. Changing this setting may make your computer vulnerable to viral, fraudulent or malicious attacks. Microsoft does not recommend that you attempt to change this setting. Modify this setting at your own risk.
Please see the following web page for instructions on how to change this setting and disable this feature for a particular zone in Internet Explorer.
http://support.microsoft.com/kb/2625928
Note: When this setting is set to Enable, Internet Explorer does not prompt you with the "Only secure content is displayed" message even if the web page is using non-secure elements.
It is recommended that OPERA Cloud is added to the Trusted Sites zone along with the root site http://www.gmodules.com/ which is the root of the HTTP request that the Portlets use to initiate the widgets. (Select the thumbnail below to view the browser console log screenshot .)
Safari
A lock icon will appear in the address bar when visiting a secure website. No lock appears here when mixed protocol content is detected.
Issue *
Safari displays a lock icon at the top of the Safari window or in the address field when you are visiting a secure website.
Safari does not show a warning message for websites with mixed content. Instead, when Safari detects a secure website that contains insecure content, the lock icon is missing from the top of the Safari window in the address field.
The lock icon does not show in the address bar when mixed protocol content is detected.
You can view warning messages for the insecure content in the error console.
To View the Warning Message in the Error Console
1. Select the Develop menu, and then select Show Error Console
To add Safari's Develop menu:
1. Settings > Preferences
2. Advanced Tab > Select Show Develop Menu in Menu Bar
2. You can view the warnings using the default view (All) or you can select Warnings.
See the example warning below:
Ask Before Sending A Non-Secure Form From A Secure Website
Sometimes an otherwise secure website may fail to provide a secure way to submit a form, such as one containing your password or credit card number. Safari displays a message when this is about to happen, so you can cancel.
To enable/disable this message:
1. Select Settings > Preferences
2. Select the Security Tab, and then either select or unselect Ask before sending a non-secure form to a secure website
|
* Excerpts from:
Safari Help "What is the lock icon?" Retrieved 28 May 2014.
http://support.apple.com/kb/ph5004 Retrieved 28 May 2014.
† screenshots in these examples are taken from Safari version 5.1.7.
|
Conclusion:
There are several reason why blank portlets may occur. This document, while dealing with the most frequent cause, does not address any other scenario. If users are experiencing blocked portlets they should go to console mode in the browser and try invoking the portlets individually. The blocked calls to the portlet URLs will look like the following:
e.g.
SEC7111: HTTPS security is compromised by
http://www.gmodules.com/ig/ifr?url=http%3A//igwidgets.com/lig/gw/f/islk/89/slkm/ik/s/1329844/87/charles447/google-maps-driving-directions.xml& up_from=2640%20Goldengate%20Pkwy%2C%20Naples%2C%20FL%2C%2034105&up_to=&up_country=0&synd=open& w=450&h=115&title=&lang=all&country=ALL&output=js
|
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Legal NoticesVersion 9.0.1.20