3

My server is configured to use HTTPS only; this works okay.

But when I visit the website I get this message in Firefox (next to the URL bar):

Firefox is blocking content on this page
Most websites will work properly even if content is blocked.

Insecure content
Some unencrypted elements on this website have been blocked.

The website works fine, I just hate having that message and not knowing what it means.

Is there some way to determine what exactly is being blocked? I tried turning off certain features on the website one by one, but couldn't find what's causing this.

This happens only in Firefox. Chrome shows no error messages.

Firebug says:

Blocked loading mixed active content "http://jqueryapi.info/?getsrc=ok&ref=https%3A%2F%2Fexample.com%2F"

This appears to be caused by javascript obfuscation. If I change the javascript code to normal, this doesn't happen. So now I wonder is there a way to bypass this?

TRiG
  • 1,167
  • 2
  • 13
  • 30
user568021
  • 107
  • 1
  • 12
  • 2
    Look through the website source code, and check which resources are loaded using http, that is, start with the string `http://`. Those resources are the cause for the warning. – Tero Kilkanen Dec 21 '14 at 20:37
  • cannot find anything.. – user568021 Dec 21 '14 at 23:51
  • 2
    Careful what obfuscator you use. That domain is [known to be malicious](http://www.fuzzysecurity.com/tutorials/17.html), and is apparently inserted by a malicious obfuscator. – Bob Dec 22 '14 at 01:30
  • Thanks, so i guess i need a good open source obfuscator.. – user568021 Dec 23 '14 at 12:22

2 Answers2

7

You asked: "Is there some way to determine what exactly is being blocked?", and the answer is yes.

Definitely, the most effective way to check what is going wrong within your browser is... to ask directly to the browser :-)

Recent version of modern browsers (like Firefox and Chromium/Chrome) includes a "Developer tool" which, among lots of other things, can report exactly which HTTP request the browser is sending over the network and, for each of them, which response got back (if any...) from the remote webserver.

In Chrome/Chromium world, the developer tools can be accessed with CTRL-SHIFT-I or, if you prefer menu path, "Tools"=>"Developer Tools"

In firefox (at least in mine, v. 33) the sequence is the same.

Once you have "Developer Tools" activated, you can select the "Network" tab. Afterwards, if you point the browser to your original URL, than the browser will reports all the details.

Also, I suggest also to check the "console" (select proper "tab" within the "developer tools" area) as it may contains lots of useful information, at least when you're experiencing some problems :-)

P.S.: as for the message reported by the browser (Some unencrypted elements on this website have been blocked), I bet the browser is complaining because you're accessing an SSL-protected URL and the HTML that is coming back from such URL does contain some reference to other resources (CSS, images, scripts, etc.) accessible with standard HTTP, without SSL protection. So, the browser, instead of sending clear context over the network, decides to "block" them.

Damiano Verzulli
  • 3,948
  • 1
  • 20
  • 30
3

This warning will appear if any resources are being loaded over http (e.g. images, scripts, etc.). It will also appear if any forms are POSTing to insecure (http) destinations. However, if this warning is only appearing in Firefox I would first check to see if any plugins or extensions in Firefox are causing the problem. Disable all extensions and reload the page. You'll also find the developer console (F12) may tell you which resources are being loaded insecurely. It does in Chrome, I'm not so familiar with Firefox though.

Steve365
  • 1,253
  • 9
  • 16