Chrome "Mixed Content" errors


(Olav Folland) #1

N00b pod owner here, and my pod bobspora.com is mostly chugging along happily for the last 48 hours or so, but some of the assets are not loading. Chrome is reporting

“Mixed Content: The page at ‘’ was loaded over HTTPS, but requested an insecure font ‘’. This request has been blocked; the content must be served over HTTPS.”

And I’m assuming at this point there’s either a problem with the socket (which is new to me) or something buried in dispora.yml (which is obviously also new to me), but I’m not seeing anything obvious, and I’m not sure which config files/sections of config files are relevant to even post.


(Benjamin Neff) #2

Did you set the url or an assets host without https:// in the diaspora.yml? You probably need to precompile your assets again for these settings to take effect.


(Olav Folland) #3

Thanks, I’d had it still set as default, and then compounded the problem by trying to recompile the wrong way.


#4

There’s a related problem that you may wish to be aware of, relating to the protocol that users use to post images in their posts. Sometimes, an image might be linked using http:// instead of https://, but not much you can do to prevent that, i think. However, there is a solution…

So, there are two things you can do to get rid of the mixed content problem and improve the security of your site and the privacy of the users.

  1. enable CSP in config\diaspora.yml. Make the following change to your configuration file:
    csp:

      ## Report-Only header (default=true)
      ## By default diaspora* adds only a "Content-Security-Policy-Report-Only" header. If you set
      ## this to false, the "Content-Security-Policy" header is added instead.
      report_only: false
  1. Use camo ssl image proxy. Aside from privacy benefit, it will ensure that all images displayed on your site are grabbed using https:// rather than whatever the original poster linked in their post. So, this will also help to eliminate the mixed content problem.

HTH.