Failed to load resource: net::ERR_INSECURE_RESPONSE

Question

IS there a way to trick the server so I don't get this error:

Content was blocked because it was not signed by a valid security certificate.

I'm pulling an iframe of an html website into another website but I keep getting the console (chrome) error in the title of this question and in internet explorer it says:

Content was blocked because it was not signed by a valid security certificate.

it sounds like you are trying to access an insecure resource from a secure resources. I believe they have a similar problem [here](http://stackoverflow.com/questions/9280665/insecure-content-in-iframe-on-secure-page). — Fyona, May 15 '14 at 21:07

score 303 · Answer 1 · answered Aug 01 '14 at 07:47

303

Your resource probably use a self-signed SSL certificate over HTTPS protocol. Chromium, so Google Chrome block by default this kind of resource considered unsecure.

You can bypass this this way :

Assuming your frame's URL is https://www.domain.com, open a new tab in chrome and go to https://www.domain.com.
Chrome will ask you to accept the SSL certificate. Accept it.
Then, if you reload your page with your frame, you could see that now it works

The problem as you can guess, is that each visitor of your website has to do this task to access your frame.

You can notice that chrome will block your URL for each navigation session, while chrome can memorise for ever that you trust this domain.

If your frame can be accessed by HTTP rather than HTTPS, I suggest you to use it, so this problem will be solved.

answered Aug 01 '14 at 07:47

Rémi Becheras

14,902
14
51
81

1

I think when you open the other tab, you need to go to `https://domain.com` and accept the SSL cert. – Hozefa Aug 08 '14 at 00:04
@Hozefa Yes, that's it. – Rémi Becheras Aug 08 '14 at 19:14
2

@RémiBecheras, is there any way to get Chrome to remember to trust the certificate over multiple navigation sessions? – Felix Mar 01 '15 at 23:27
Not in chrome directly. In fact, chromium use the OS certificate management system. If you run on linux, you can trust certificates using certutil CLI : `certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n -i ` See there : https://code.google.com/p/chromium/wiki/LinuxCertManagement . If you run another OS, I don't know but others must. – Rémi Becheras Mar 02 '15 at 08:35
3

In order to add a such rule, you have to get the certificate. If it's yours, you already have it. If don't, click the https left icon on adressbar > certificate informations > details > export. Then, use this file – Rémi Becheras Mar 02 '15 at 12:42
1

This also worked for the weird case where a site was sending a request to the same domain (itself) which I had just approved continuing past the self-signed certificate but then Chrome was throwing this error. – Michael Aug 04 '15 at 16:59
1

Is there a way to do this kind of bypass through client side code? Meaning, can I program into the client "hey this server you're trying to access looks sketchy, but its ok trust me. I wrote you both, You're technically code brothers/sisters/gender neutral siblings" ? – discodane Dec 04 '15 at 18:41
1

@discodane Developping/using a browser plugin, probably. Without that, just in javascript, definitively not. – Rémi Becheras Dec 05 '15 at 16:49
@RémiBecheras, so after making it works, how to unaccept the certificate – e-cloud Jul 19 '16 at 06:54
This also helped me http://superuser.com/questions/487748/how-to-allow-chrome-browser-to-load-insecure-content – taylorstine Jul 24 '16 at 15:54
+1 Just be careful of using HTTP instead of HTTPS. HTTPS confers many security benefits, so make sure you don't need them in your situation before changing to HTTP. – Kevin Jan 09 '17 at 21:25
Bypassing HTTPS is not a great solution. HTTP is unsecure and development should integrate security as a primary element in the normal course of writing code. – Ken Ingram Feb 24 '21 at 16:14

score 33 · Answer 2 · answered Aug 04 '15 at 07:21

33

Sometimes Google Chrome throws this error, even if it should not. I experienced it when Chrome had a new version, and it needed to be restarted. After restarting the same page worked without any errors. The error in the console was:

net::ERR_INSECURE_RESPONSE

answered Aug 04 '15 at 07:21

Balazs Nemeth

497
4
3

8

Confirmed, a restart of Chrome (and killing all the background Chrome processes) fixed it for me. – Oran Dennison Aug 28 '15 at 00:17
5

doesn't work.. its a self signed certificate.. it won't work by restarting – user1735921 Sep 16 '15 at 06:51
1

Confirmed also with me! – nemke Nov 13 '15 at 12:44
@Balazs, Is restarting the browser the only way? Assuming we can't afford to restart, is there a way to do it via `chrome://net-internals`? – Pacerier Jan 21 '16 at 02:17
1

A restart of Chrome (without background processes) fixed it for me also. Thanks! – EnocNRoll - AnandaGopal Pardue Jan 29 '16 at 17:49
I was messin' with my system.webServer rewrite rules to redirect to https. The moment Chrome sees a rewrite to https, it doesn't matter if you remove it or not, Chrome holds onto that information. So this solution worked. Just cleared data for localhost and restarted Chrome. – Suamere Jun 06 '16 at 15:54
typically happens when doing regular updates on Linux without restarting the computer for a while – jopasserat Jan 03 '17 at 16:06

score 8 · Answer 3 · answered Apr 09 '16 at 12:55

8

I still experienced the problem described above on an Asus T100 Windows 10 test device for both (up to date) Edge and Chrome browser.

Solution was in the date/time settings of the device; somehow the date was not set correctly (date in the past). Restoring this by setting the correct date (and restarting the browsers) solved the issue for me. I hope I save someone a headache debugging this problem.

answered Apr 09 '16 at 12:55

Sebastiaan Ordelman

932
9
20

I'm encountering a similar error on an asus zenbook running Windows 8. Unfortunately, this didn't work for me but can you explain in more detail how you reset the date/time? Just by setting the time zone through the windows ui? – DEls Apr 06 '17 at 07:31
@DEls, I switched timezones in Windows configuration - that reset the system clock for me. Did you restart the browser afterwards? If timing did not solve the problem you might have to look into the other solution described in this topic. – Sebastiaan Ordelman Apr 07 '17 at 09:20
I don't know why, but this worked for me. The year was set to 2048, changed it to current year and all fixed. Thanks @SebastiaanOrdelman – deanwilliammills Jun 04 '18 at 07:54

score 6 · Answer 4 · answered Apr 26 '17 at 22:12

Offering another potential solution to this error.

If you have a frontend application that makes API calls to the backend, make sure you reference the domain name that the certificate has been issued to.

e.g.

https://example.com/api/etc

and not

https://123.4.5.6/api/etc

In my case, I was making API calls to a secure server with a certificate, but using the IP instead of the domain name. This threw a Failed to load resource: net::ERR_INSECURE_RESPONSE.

score 6 · Answer 5 · answered Aug 03 '17 at 00:40

6

open up your console and hit the URL inside. it'll take you to the API page and then in the page accept the SSL certificate, go back to your app page and reload. remember that SSL certificates should have been issued for your Dev environment before.

answered Aug 03 '17 at 00:40

Ramin Ahmadi

619
5
13

Jim G. · Answer 6 · 2015-09-16T09:54:38.827

4

If you're developing, and you're developing with a Windows machine, simply add localhost as a Trusted Site.

And yes, per DarrylGriffiths' comment, although it may look like you're adding an Internet Explorer setting...

I believe those are Windows rather than IE settings. Although MS tend to assume that they're only IE (hence the alert next to "Enable Protected Mode" that it requries restarted IE)...

edited Sep 16 '15 at 09:54

answered Aug 05 '15 at 19:50

Jim G.

15,141
22
103
166

4

I am using linux ubuntu, not windows, any solution? – user1735921 Sep 16 '15 at 06:56

JJ Stiff · Answer 7 · 2016-03-17T19:26:53.697

Try this code to watch for, and report, a possible net::ERR_INSECURE_RESPONSE

I was having this issue as well, using a self-signed certificate, which I have chosen not to save into the Chrome Settings. After accessing the https domain and accepting the certificate, the ajax call works fine. But once that acceptance has timed-out or before it has first been accepted, the jQuery.ajax() call fails silently: the timeout parameter does not seem help and the error() function never gets called.

As such, my code never receives a success() or error() call and therefore hangs. I believe this is a bug in jquery's handling of this error. My solution is to force the error() call after a specified timeout.

This code does assume a jquery ajax call of the form jQuery.ajax({url: required, success: optional, error: optional, others_ajax_params: optional}).

Note: You will likely want to change the function within the setTimeout to integrate best with your UI: rather than calling alert().

const MS_FOR_HTTPS_FAILURE = 5000;
$.orig_ajax = $.ajax;
$.ajax = function(params)
{
  var complete = false;
  var success = params.success;
  var error = params.error;
  params.success = function() {
    if(!complete) {
      complete = true;
      if(success) success.apply(this,arguments);
    }
  }
  params.error = function() {
    if(!complete) {
      complete = true;
      if(error) error.apply(this,arguments);
    }
  }
  setTimeout(function() {
    if(!complete) {
      complete = true;
      alert("Please ensure your self-signed HTTPS certificate has been accepted. "
        + params.url);
      if(params.error)
        params.error( {},
          "Connection failure",
          "Timed out while waiting to connect to remote resource. " +
          "Possibly could not authenticate HTTPS certificate." );
    }
  }, MS_FOR_HTTPS_FAILURE);

  $.orig_ajax(params);
}

score 0 · Answer 8 · edited Jun 02 '17 at 16:04

0

This problem is because of your https that means SSL certification. Try on Localhost.

edited Jun 02 '17 at 16:04

Eric Aya

69,473
35
181
253

answered Jun 02 '17 at 14:05

Sachin from Pune

656
8
19

Failed to load resource: net::ERR_INSECURE_RESPONSE

8 Answers8

Linked