Fixing Mixed-Content Warnings when using SSL Offloading

Overview

This article provides information on how to resolve mixed-content warnings with pages and popups seen in the browser developer tools when using SSL offloading.

Prerequisites

Diagnosis

The warnings described above are possibly caused by a secured page (HTTPS), which contains unsecured links (HTTP) to some resources (images, scripts, etc.).

You can check for mixed content warnings in your browser by:

  1. In your browser, press F12.
  2. View the console.

Errors you should see in the console are:

  • Internet Explorer
    Only secure content is displayed.
  • Firefox
    Firefox has blocked content that isn't secure.
  • Chrome
    Mixed Content: The page at "" was loaded over HTTPS, but requested an insecure frame. This request has been blocked; the content must be served over HTTPS.

Mixed for popups will produce errors such as:

  • Mixed Content: The page at 'https://www.site.com' was loaded over HTTPS, but requested an insecure frame 'http://www.site.com/ctl/edit/mid/540?popUp=true'. This request has been blocked; the content must be served over HTTPS.

    It is failing with a popUp=true query string which is an indicator that the frame is a DNN modal popup.

You can also use some (external, 3rd-party) web tools that might help you determine which elements may be causing the mixed content:

Solution

  1. Configure the SSL Offload Header Value as required by your load balancers.

    Examples:
  2. Enable SSL for your site and pages.
  3. If you see mixed-content errors whenever a pop-up modal is shown on the screen, you can disable the pop-ups that are requesting HTTP. To do so, navigate to Settings > SQL Console and run the following query:

    UPDATE portalsettings 
    SET    settingvalue = 'False' 
    WHERE  settingname = 'EnablePopups'
  4. (workaround) If you do not wish to disable pop-ups,
    • Go to Persona Bar > Settings > Site Settings > Site Behavior.
    • Under HTML Page Header Tags, add the text: 
      <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
      This will affect all insecure content in the page, so you need to make sure that all the insecure links are available securely, otherwise, they will not be loaded.
      Note: If there are multiple portals on the site, the meta tag can be bulk updated by running the query in SQL Console:
      UPDATE Tabs
      SET PageHeadText = '<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">'
      WHERE PortalID IN (SELECT PortalID FROM Portals)
      • Please take a full backup of the database before running the above queries.
      • Once the query is run, clear the server cache for the changes to take effect.

Testing

To test that the mixed content warnings are gone:

  1. Access the site, edit a page and access a module's settings.
  2. In your browser, press F12.
  3. View the console.

You should cease to receive any mixed-content warnings.

Comments

0 comments

Please sign in to leave a comment.