73

I have a page with some D3 javascript on. This page sits within a HTTPS website, but the certificate is self-signed.

When I load the page, my D3 visualisations do not show, and I get the error:

Mixed Content: The page at 'https://integration.jsite.com/data/vis' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://integration.jsite.com/data/rdata.csv'. This request has been blocked; the content must be served over HTTPS.

I did some research and all I found what the JavaScript will make the call with the same protocol that the page was loaded. So if page was loaded via https then the rdata.csv should also have been requested via https, instead it is requested as http.

Is this because the certificate is self-signed on the server? What I can do to fix this, other than installing a real SSL certificate?

Super Kai - Kazuya Ito
  • 22,221
  • 10
  • 124
  • 129
J86
  • 14,345
  • 47
  • 130
  • 228
  • 1
    Maybe [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS) would help (for free and real SSL certs, check out [letsencrypt](https://letsencrypt.org/)...) – n00dl3 May 23 '16 at 09:53

11 Answers11

43

What I can do to fix this (other than installing a real SSL certificate).

You can't.

On an https webpage you can only make AJAX request to https webpage (With a certificate trusted by the browser, if you use a self-signed one, it will not work for your visitors)

Tom
  • 4,666
  • 2
  • 29
  • 48
  • I moved the code to an environment where proper `HTTPS` is in place, but still have the same issue! – J86 May 23 '16 at 12:43
  • If the data you request is not in the same domain, the domain providing the data must allow it with CORS or JSONP. What does your browser console says now? – Tom May 23 '16 at 13:39
  • It says the exact same thing, and it is sitting within the same domain. By the way, what I mean by proper `https` is that it is now green, and browser says `This page is secure (valid HTTPS)` Where as before the `https` was red and the browser said `This page is insecure (broken HTTPS)`. – J86 May 23 '16 at 14:13
  • In your JS code, for the AJAX request, do you specify https for the url? – Tom May 23 '16 at 14:21
  • 2
    No, I use a relative path, for example `../data/rdata.csv` – J86 May 23 '16 at 14:29
  • 2
    In the network console, do you see that request? Is it https (it should because your main page is https and you use relative path)? Are you sure that request doesn't redirect to http? – Tom May 23 '16 at 14:32
  • Can we except one URL or domain using htaccess? – Sohil Sardhara Oct 04 '21 at 12:38
32

Steps to Allow Insecure Content in Chrome

To allow insecure content on individual sites within Chrome, click on the lock icon in the URL bar, then click 'Site settings'.

enter image description here

There you will see a list of various permissions the page has. Choose 'Allow' next to 'Insecure content'.

enter image description here

Now your HTTPS site can access HTTP endpoint

Smack Alpha
  • 1,828
  • 1
  • 17
  • 37
22

I had the same issue for my angular project, then I make it work in Chrome by changing the setting. Go to Chrome setting -->site setting -->Insecure content --> click add button of allow, then add your domain name [*.]XXXX.biz

Now problem will be solved.

user2791178
  • 333
  • 2
  • 7
17

You will be able to solve the error by adding this code to your html file:

<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests" />

If any solutions don't work, try this solution.

sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
Super Kai - Kazuya Ito
  • 22,221
  • 10
  • 124
  • 129
13

I solved the problem adding a slash at the end of the requesting url

This way: '/data/180/' instead of: '/data/180'

Flavio Lopes
  • 187
  • 1
  • 5
3

As for me, I had same warning.

I fixed it at URL request. I had excessive '/'.

Before: const url = ${URL}search/movie/?api_key=${API_KEY}&query=${movie};

After: const url = ${URL}search/movie?api_key=${API_KEY}&query=${movie};

Mykhailo Kutsyi
  • 31
  • 4
1

Add <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests"> to the html file, this would solve the issue.

You can read more on Mozilla Develop Doc

Balogun Ridwan Ridbay
  • 574
  • 4
  • 7
0

I had the same problem but from IIS in visual studio, I went to project properties -> Web -> and project url change http to https

Daniel Jesus Cristobal Rojas
  • 19
  • 4
0

One solution here server side end point which you access via https, which then makes the call to whichever http url, and then and returns the result. In other words, making your own little HTTPS proxy to access the http resource

Jack
  • 871
  • 1
  • 9
  • 17
0
update core_config_data 
set value='X-Forwarded-Proto' 
where path='web/secure/offloader_header'
Peter Csala
  • 17,736
  • 16
  • 35
  • 75
Artem Klymov
  • 1
  • 4
    As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Dec 09 '21 at 01:38
-15

this is easy,
if you use .htaccess , check http: for https: ,
if you use codeigniter, check config : url_base -> you url http change for https.....
I solved my problem.

YakovL
  • 7,557
  • 12
  • 62
  • 102
Wilmer
  • 1