Overview
This article provides information on how to resolve mixed-content warnings with pages and popups seen in the browser developer tools when using SSL offloading.
Prerequisites
- Access to a Superuser Account
Diagnosis
The warnings described above are possibly caused by a secured page (HTTPS), which contains unsecured links (HTTP) to some resources (images, scripts, etc.).
You can check for mixed content warnings in your browser by:
- In your browser, press F12.
- View the console.
Errors you should see in the console are:
- Internet Explorer
Only secure content is displayed. - Firefox
Firefox has blocked content that isn't secure. - Chrome
Mixed Content: The page at "" was loaded over HTTPS, but requested an insecure frame. This request has been blocked; the content must be served over HTTPS.
Mixed for popups will produce errors such as:
- Mixed Content: The page at 'https://www.site.com' was loaded over HTTPS, but requested an insecure frame 'http://www.site.com/ctl/edit/mid/540?popUp=true'. This request has been blocked; the content must be served over HTTPS.
It is failing with a popUp=true query string which is an indicator that the frame is a DNN modal popup.
You can also use some (external, 3rd-party) web tools that might help you determine which elements may be causing the mixed content:
- Geekflare's Mixed Content Test
- CrawlCenter's Mixed Content Checker
- LexiConn's Why No Padlock?
- Northwoods' Missing Padlock
Solution
-
Configure the SSL Offload Header Value as required by your load balancers.
Examples:-
Citrix supports custom headers and recommends using SSL_REQUEST
-
BigIP/F5 supports custom headers via their iRule rewrite function.
-
- Enable SSL for your site and pages.
-
If you see mixed-content errors whenever a pop-up modal is shown on the screen, you can disable the pop-ups that are requesting HTTP. To do so, navigate to Settings > SQL Console and run the following query:
UPDATE portalsettings
SET settingvalue = 'False'
WHERE settingname = 'EnablePopups' - (workaround) If you do not wish to disable pop-ups,
- Go to Persona Bar > Settings > Site Settings > Site Behavior.
- Under HTML Page Header Tags, add the text:
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
This will affect all insecure content in the page, so you need to make sure that all the insecure links are available securely, otherwise, they will not be loaded.Note: If there are multiple portals on the site, the meta tag can be bulk updated by running the query in SQL Console:
UPDATE Tabs
SET PageHeadText = '<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">'
WHERE PortalID IN (SELECT PortalID FROM Portals)- Please take a full backup of the database before running the above queries.
- Once the query is run, clear the server cache for the changes to take effect.
Testing
To test that the mixed content warnings are gone:
- Access the site, edit a page and access a module's settings.
- In your browser, press F12.
- View the console.
You should cease to receive any mixed-content warnings.
Comments
0 comments
Please sign in to leave a comment.