Support Forum

Advanced Search
Forum Scope


Match



Forum Options



Minimum search word length is 3 characters - maximum search word length is 84 characters
public-topic
Mixed content message due to Gravatar image
Avatar
Roger Martin
Member
Free Members
sp_UserOfflineSmall Offline
Apr 17, 2015 - 10:52 am
sp_QuotePost Quote

I'm playing with a Simple:Press install on an SSL-secured site. It looks like all resources are being pulled down securely (i.e. with the https prefix) except for one - the gravatar image when you are logged on. For example, when I log in the following image is used in the top left corner:

http://www.gravatar.com/avatar.....p;rating=g

Since it's not secure (http insted of https), Chrome gives a warning about mixed content being on the page. I flushed caches, checked the forum settings and Gravatar settings and don't see a way to change it. I even tried the Gravatar cache plugin but then a new problem develops - a 404 error occurs presumably because a routing issue is preventing the IIS server from finding the resource. (FYI, if you change the cache file to use a file extension instead of being extensionless, this problem would disappear.)

You can see the issue for yourself at https://galleryserverpro.com/forum/.

Cheers!
Roger

Avatar
Mr Papa
Simi Valley, CA
SP Master
Free Members
sp_UserOfflineSmall Offline
Apr 18, 2015 - 11:33 am
sp_QuotePost Quote

interesting... not sure why the file extension would matter... and we have quite a few users with SSL and this has not been reported... in fact, we recently did an ssl sweep due to share this issue and this did not come up...

not saying, you are not correct, just odd that its not a global things...  or perhaps its specific to IIS...

and we will have to investigate further...

Avatar
Roger Martin
Member
Free Members
sp_UserOfflineSmall Offline
Apr 20, 2015 - 1:38 pm
sp_QuotePost Quote

The file extension issue is unrelated to SSL. To avoid confusion, I split that into another thread: Gravatar cache doesn't work well on IIS

You don't have to take my word for it on the mixed content warning. It is easy to repro the issue by going to https://galleryserverpro.com/forum and logging in (it supports several openauth providers so you can log in with your Google, Facebook, Twitter, or LinkedIn account). Once logged in and your gravatar image is shown, look at the source and notice the image is served as HTTP while the page is served as HTTPS.

Avatar
Mr Papa
Simi Valley, CA
SP Master
Free Members
sp_UserOfflineSmall Offline
Apr 20, 2015 - 10:53 pm
sp_QuotePost Quote

and investigation is underway...

Avatar
Roger Martin
Member
Free Members
sp_UserOfflineSmall Offline
Mar 7, 2016 - 7:07 pm
sp_QuotePost Quote

Any word on this? We are still having this issue on our site. Repro steps in the earlier posts still work.

Thanks!

Roger

Avatar
Mr Papa
Simi Valley, CA
SP Master
Free Members
sp_UserOfflineSmall Offline
Mar 7, 2016 - 9:14 pm
sp_QuotePost Quote

we have not been able to reproduce yet (doesnt happen on our ssl test setup)...  and still trying to understand how a file extension would make any difference...  of course, our test site is not on IIS...  and would like to understand why/how its specific to IIS... is it just your server set up or any IIS..  unfortunately, such as small number of IIS users so hard to get data...  not a good practice to 'fix' something for one instance without understanding any other implications...

Avatar
Cherie Ve Ard
Member
Pro Subscribers
sp_UserOfflineSmall Offline
Mar 31, 2016 - 11:53 am
sp_QuotePost Quote

We've recently moved our site to use SSL, and everything is working fine except for the forums.

They work - but the browser flags the pages as insecure because SimplePress is loading the gravatar over http instead of https.

Here is the error in Chrome:

Mixed Content: The page at 'https://www.rvmobileinternet.com/forum/' was loaded over HTTPS, but requested an insecure image 'http://www.gravatar.com/avatar/73c61c17d46e45ac2cd4a00b2bba5453?d=404&size=50&rating=g'. This content should also be served over HTTPS.

Any fix coming? Do I have to disable gravatars?

Thanks,

  - Chris

PS: This has nothing to do with IIS. Our web host is Dreamhost, running Apache. SimplePress just needs to request the https:// instead of http:// image from Gravatar to fix this, I think

Avatar
Yellow Swordfish
Glinton, England
SP Master
sp_UserOfflineSmall Offline
Mar 31, 2016 - 12:29 pm
sp_QuotePost Quote

I thought we had a bug ticket open on this one but it appears to have fallen through the cracks somewhere. I will open one now and we will discuss tonight and let you know after that....

andy-signature.png
YELLOW
SWORDFISH
Avatar
Mr Papa
Simi Valley, CA
SP Master
Free Members
sp_UserOfflineSmall Offline
Mar 31, 2016 - 9:24 pm
sp_QuotePost Quote

we might be able to fix gravatars to always use https, but a bigger question would be why isnt it auto changing it to https??? 

It does for me on my test server...  makes me wonder if the server is properly configured to use https/ssl...

Avatar
Mr Papa
Simi Valley, CA
SP Master
Free Members
sp_UserOfflineSmall Offline
Apr 1, 2016 - 1:04 am
sp_QuotePost Quote

have opened a ticket to just go ahead and force https in next version... should be no harm there...

Forum Timezone: Europe/Stockholm
Most Users Ever Online: 1170
Currently Online:
Guest(s) 1
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Mr Papa: 19448
Ike: 2086
Brandon: 864
kvr28: 804
jim: 650
FidoSysop: 577
Conrad_Farlow: 531
fiddlerman: 358
Stefano Prete: 325
Member Stats:
Guest Posters: 620
Members: 17365
Moderators: 0
Admins: 4
Forum Stats:
Groups: 7
Forums: 17
Topics: 10128
Posts: 79626