1

In my Rails app I use both Rails' native form_tag method and the simple_form_for method provided by the simple_form rubygem.

Both of them are leading to the following warning in the chrome console:

Mixed Content: The page at 'https://example.com' was loaded over a secure connection, but contains a form which targets an insecure endpoint 'http://example.com'. This endpoint should be made available over a secure connection.

And indeed, the rendered HTML forms use the http protocol for their action attribute.

What is the reason for that? All my other URL's use the https protocol.

heroxav
  • 1,387
  • 1
  • 22
  • 65
  • Your form has http protocol specified? Usually it only has a relative path, doesn't it? How you created the form? – EJAg Oct 08 '17 at 22:05
  • @EJ2015 I've used either `simple_form_for(@object)` / `form_tag(some_url)` -> no relative paths – heroxav Oct 09 '17 at 05:13

1 Answers1

3

You have not correct protocol set up for your environment.

Your server is running on HTTPS and form creates HTTP URL.

You need to tell your URL helpers to build the URLs with the same protocol as your server is running for your environment.

Development should run on HTTP, staging should be HTTPS and production as well HTTPS.

There are different ways how to do it. The best is to set protocol in your environment config file. So place this line:

Rails.application.routes.default_url_options[:protocol] = 'https'

into your environment config file like production.rb and staging.rb.

Another approach is to set the default protocol per controller action. Check this one for more info.

In case you are using the mailer, also check your mailer protocol settings. As described here.

vitulicny
  • 321
  • 2
  • 11