: Why does navigating to http:// then redirect to https:// give mixed content warning? If I directly navigate to https://scotthelme.co.uk I get a green TLS indicator in the address bar. If I navigate

@Harper822

I took a look at your links and did the whole HTTP to HTTPS transfer, and in Dragon (a Chromium custom build) using Incognito mode, it did not issue any alerts or errors.

However, that being said, I did look at your DOM structure and you are linking to:


scotthelme.com
ajax.cloudflare.com
themes.googleusercontent.com
i.creativecommons.org
fonts.googleapis.com
api.flattr.com
apis.google.com
disqus.com
platform.twitter.com


and while some of these are linked directly, some of them are linked via your inclusion of their third-party scripting. Keep in mind that when you do that, it often leaves you open to the other parties modifications. This means if they happen to link to an item that is not being delivered through HTTPS you will inherit this mixed content and it will flag on your end too.

When including outside sources, the best thing to do is validate the provenance (origin) of the information you are linking to and make sure they are as you expect them to be or don't link to them. Most of the time, as long as the mixed content is not malicious you are fine, but it can turn some people off when they get the warning and don't know better.

Hope some of this helps you out. When possible, put the resources you want to use locally on your own server and link to those from there. Also, given we know the very first item is not secure, linking to it is a bad idea and would most likely always generate this warning.

Vote Up Vote Down