[SOLVED] HTTPS - insecure content checkout

[jetx]

Checkout page (quick-order) is displaying insecure content, specifically the thumbnail images displayed next to product description at checkout. As it appears the image links are absolute paths rather than relative I cannot see how to fix this.

 

Any suggestions please?

[jetx]

Ok, possibly this has something to do with it. I am using a CDN (Max), SSL using my own cert (rather than their shared cert) requires a cname and custom cert (including the cname) which I have. So looking at an image at checkout the url is https://shop.mydomain.com/748-small_default/lg-ca-484ctq.jpg

 

The actual shop url while checking out is https://www.mydomain.com/quick-order.

 

If any expert here can advise any fix this type of scenario. Can a re-write rule in htaccess solve this? Don't really want to experiment on a live site but need this issue resolved, or I need to disable the CDN.

 

Thanks.

[jetx]

Further inspection of the element and it appears to be not CDN related. Chrome Dev Tools points to this:

 

[blocked] The page at 'https://www.mydomain.com/quick-order' was loaded over HTTPS, but ran insecure content from 'http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js': this content should also be loaded over HTTPS.

Edited July 2, 2014 by jetx (see edit history)

[jetx]

I wasted a lot of time on this. The error was caused by a mod (whos online). Disable the mod and the error disappears. Damned annoying waste of time, sloppy code.

 

edit: of course if I had used chrome's dev tools to begin with I would have found the culprit immediately!

Edited July 2, 2014 by jetx (see edit history)

[Mister Denial]

I wasted a lot of time on this. The error was caused by a mod (whos online). Disable the mod and the error disappears. Damned annoying waste of time, sloppy code.

 

edit: of course if I had used chrome's dev tools to begin with I would have found the culprit immediately!

 

Hi jetx,

 

I am experiencing a similar problem, could you please explain a bit more in detail what was causing the error?  I would really appreciate pointers on this!

 

Thanks in advance!

 

Dan

[jetx]

Hi Dan,

 

That particular error was caused by that mod whois online, since been fixed I believe. However, the error you're having I believe was related to the search block as described here: http://www.prestashop.com/forums/topic/346307-chrome-ssl-error/?view=findpost&p=1819529 Which I realise you have been part of that discussion, so just made this post for any others who are searching for SSL errors.

[Mister Denial]

 

That particular error was caused by that mod whois online, since been fixed I believe.

 

Hi jetx,

 

do you know if there has been a module update with the fix already, or only on github?

[jetx]

With regards to blocksearch, so far as I am aware there has been no official update to the mod.

[bellini13]

The issue will not be fixed until someone opens a bug report or submits the change themselves to Github.  Prestashop developers probably don't know that the issue even exists.

[El Patron]

Bellini, has excellent point.

 

Please open bug report here: http://forge.prestashop.com/

 

after opening the bug report, please post that reports URL back here for others to follow/comment/vote up.

 

developers have been very responsive to issues.

 

thanks

[Vincent Terenti]

Dear all,

 

We already fixed this issue.

 

Please apply this correction to solve this problem : https://github.com/PrestaShop/PrestaShop/commit/15818a849ab1e93222d2b26d52e03777cd7362f6

 

 

Best regards!

[bellini13]

Vincent, that only fixes the issue if you are using the default-bootstrap theme. 

 

The template files included with the base modules still have this issue.

https://github.com/PrestaShop/blocknewsletter/blob/master/views/templates/hook/blocknewsletter.tpl
https://github.com/PrestaShop/blocksearch/blob/master/blocksearch-top.tpl

[Vincent Terenti]

Hi Bellini13,

 

This is a default-boostrap theme issue, so we corrected the problem on the default-bootstrap theme to keep the retrocompatibility with all PrestaShop versions

[bellini13]

Sorry Vincent, that does not make sense.  The issue is not only a default theme issue, the base module includes template files and those template files are programmed incorrectly.

 

The issue is not resolved

[Vincent Terenti]

Hi Bellini13,

 

If we upgrade these modules, the retrocompatibility of all shops wich are not in the last version of PrestaShop will be broken...

[bellini13]

Retrocompatibility of which versions of Prestashop?

 

First of all, the modules in question (blocknewsletter and blocksearch) have a min compliancy of PS v1.6

$this->ps_versions_compliancy = array('min' => '1.6', 'max' => _PS_VERSION_); 

Second, Link::getPageLink has $ssl as the second parameter going back to PS v1.4

 

PS v1.4

public function getPageLink($filename, $ssl = false, $id_lang = null)

PS v1.5

public function getPageLink($controller, $ssl = null, $id_lang = null, $request = null, $request_url_encode = false, $id_shop = null)

PS v1.6

public function getPageLink($controller, $ssl = null, $id_lang = null, $request = null, $request_url_encode = false, $id_shop = null)

[Vincent Terenti]

Both search and home page are not using https.

 

If you do like this you will have an automatic redirection on the search page.

[bellini13]

Both search and home page are not using https.

 

If you do like this you will have an automatic redirection on the search page.

That is your assumption, but that does not mean users have not forced SSL on every page. 

 

The point here is that if left unchanged, then you have insecure content warnings from major browsers.  The form actions should contain a secure URL, if a redirect occurs, then a redirect occurs. That does not break anything or introduce "Retrocompatibility" issues.

[Vincent Terenti]

Hi Bellini,

 

Chrome made a change which create this issue.

 

We consider this problem which break the default-boostrap theme and all themes.

 

That's why we corrected the default-boostrap theme. We gave all the tools to help merchants to correct their, but we can not correct all the themes.

[Mister Denial]

That is your assumption, but that does not mean users have not forced SSL on every page. 

 

This is also an issue if you have not forced SSL - for example, in the case of my shop, which does not force SSL on all pages, I still got error warnings in Chrome on the checkout pages, which by default use https even if the rest of the website does not.

 

And having SSL warnings on the checkout page, that's pretty bad for customer trust right before he's deciding whether to commit to a purchase or not.

[Vincent Terenti]

Dear all,

 

We spoke again with the developpers about this issue, and they corrected Blocksearch and Blocknewsletter, here are the comits :

 

https://github.com/PrestaShop/blocknewsletter/commit/0d8a3bc0ecdf6e94d337701a7d7b48a71e0dd696

 

https://github.com/PrestaShop/blocksearch/commit/8df3bf5f070e920b208a51f31d16ca6404ba412f

 

 

Best regards,

[ps3z]

This is also an issue if you have not forced SSL - for example, in the case of my shop, which does not force SSL on all pages, I still got error warnings in Chrome on the checkout pages, which by default use https even if the rest of the website does not.

 

And having SSL warnings on the checkout page, that's pretty bad for customer trust right before he's deciding whether to commit to a purchase or not.

Yes you are definitely right about this.customers are calling us and they are reporting about it so they are annoying to purchase an item

 

we are expecting to see "New Updates for modules"

[Mister Denial]

Yes you are definitely right about this.customers are calling us and they are reporting about it so they are annoying to purchase an item

 

we are expecting to see "New Updates for modules"

 

I believe there are updates available already for both, I updated my shop yesterday and compared the code to the github fixes to make sure the issue was corrected, and it seems so. For now, now more SSL warnings on my shop, so it looks good.

[the.rampage.rado]

Same here. Can't see which module serve unsecure content but when I'm on 'secure' page I get warnings in the browser.

I only have facebook slider and yotpo v2 modules on checkout but when both of them are disabled the warnings still appear. 

[Mister Denial]

Same here. Can't see which module serve unsecure content but when I'm on 'secure' page I get warnings in the browser.

 

I only have facebook slider and yotpo v2 modules on checkout but when both of them are disabled the warnings still appear. 

 

I believe that if you use a tool like Pingdom, you can see all connections including those in https or regular http - same for Firebug or Chrome console. That should help you locate which resource on your page is not loading secure.

[the.rampage.rado]

Thank you!

Didn't know that the Chrome console give such information. Turns out it's the background image - it's called using http, simple fix in the theme editor (adding 's') and it's done.

[Mister Denial]

Thank you!

 

Didn't know that the Chrome console give such information. Turns out it's the background image - it's called using http, simple fix in the theme editor (adding 's') and it's done.

 

Glad I could help and that you could fix the issue! :-)

[magpole]

I fixed the error on computer.

But don't know how to fix the mobile side.

Using: prestashop 1.4.11

           mobile theme module by prestashop

Please help

 

Thanks

[rajansinha02]

Hi

 

After updating the link,php getting following error

 

Strict Standards: Declaration of Link::getCategoryLink() should be compatible with LinkCore::getCategoryLink($category, $alias = NULL, $id_lang = NULL, $selected_filters = NULL, $id_shop = NULL, $relative_protocol = false) in /public_html/override/classes/Link.php on line 219

 

Help

 

Using 1.6.0.8