PoliteCaptcha Https Issue MVC Razor

Question

I am using PoliteCaptcha as follows:

<div class="form-container"> 
@using (Html.BeginForm("LogOn", "Account", new { ReturnUrl = Request.QueryString["ReturnUrl"] }, FormMethod.Post, new { id = "formLogOn" }))
{
  @Html.TextBoxFor(model => model.UserId, new { id = "textBoxUserId", placeholder="Enter your username" })<br />
  @Html.ValidationMessageFor(model => model.UserId)<br />

  @Html.PasswordFor(model => model.Password, new { placeholder="Enter your password" })<br />
  @Html.ValidationMessageFor(model => model.Password)<br />

  @Html.SpamPreventionFields()

  <input type="submit" id="ButtonLogOn" value="LoginButton" class=" button" />
}
</div>
<div id="validationSummary">
    @Html.Partial("_AjaxValidationSummaryPartial")
</div>

@if (Model != null && !Model.ShowCatcha)
{
  @Html.SpamPreventionScript()
}

This works fine but not when it goes live on a https domain. I get error:

Mixed Content: The page at 'https://www.domain.com/log?ReturnUrl=%2Fadmin' was loaded over HTTPS, but requested an insecure script 'http://www.google.com/recaptcha/api/challenge?k=6LcAAAAOQuMiKA-yCo4HZPp4gy-T0x7CaX'. This request has been blocked; the content must be served over HTTPS.

Is there a way you could replace "http://www.google.com/recaptcha/" with "https://www.google.com/recaptcha/" ( with httpS: ) ? — TTT, Apr 29 '15 at 09:41
Try searching instead of waiting three weeks and adding a bounty: [Why am I suddenly getting a “Blocked loading mixed active content” issue in Firefox?](http://stackoverflow.com/questions/18251128/why-am-i-suddenly-getting-a-blocked-loading-mixed-active-content-issue-in-fire), [How to fix a website with blocked mixed content](https://developer.mozilla.org/en-US/docs/Security/MixedContent/How_to_fix_website_with_mixed_content). — CodeCaster, Apr 29 '15 at 09:49
[Nuget Google reCAPTCHA for MVC 4 and 5](https://www.nuget.org/packages/reCAPTCH.MVC/) and [Demo and Document](http://recaptchamvc.apphb.com/) — Sender, Jun 19 '15 at 13:55

score 1 · Accepted Answer · answered Apr 29 '15 at 09:46

1

You're requiring insecure content from a secure connection, and this is usually strongly discouraged.

I checked PoliteCaptcha source code and there is no reference to JS file; for this reason it should be very easy to fix.

Locate your script tag and simply delete the protocol prefix.

Change this

<script src="http://www.google.com/recaptcha.js

To this

<script src="//www.google.com/recaptcha.js

The browser will figure out automatically the protocol to use, and get rid of the problem.

answered Apr 29 '15 at 09:46

Vincenzo

1,549
1
9
17

Check again https://github.com/NuGet/PoliteCaptcha/search?utf8=%E2%9C%93&q=RenderControl. Ultimately calls to this https://code.google.com/p/recaptcha/source/browse/trunk/recaptcha-plugins/dotnet/library/RecaptchaControl.cs#358 – JJS May 04 '15 at 00:09

JJS · Answer 2 · 2015-05-06T16:54:41.913

It's very possible that you're behind a reverse proxy, and the api that RecaptchaControl uses to generate the scripts is not detecting Context.Request.IsSecureConnection correctly. Could you let us know what value Context.Request.IsSecureConnection returns?

https://code.google.com/p/recaptcha/source/browse/trunk/recaptcha-plugins/dotnet/library/RecaptchaControl.cs#358

@Html.SpamPreventionFields() is an IHtmlString, so you could just create a page variable and do some String.Replacing on it...

@{
var preventionFields = Html.SpamPreventionFields().ToHtmlString().Replace("http:", "https:")
}

and in your form

@Html.Raw(preventionFields)

PoliteCaptcha Https Issue MVC Razor

2 Answers2