: Firefox reports HTTPS page to contain non-secure elements When I visit our web site pages with IE over HTTPS, it reports the web site as protected (i.e. no elements are taken using HTTP). The
When I visit our web site pages with IE over HTTPS, it reports the web site as protected (i.e. no elements are taken using HTTP). The same page, when loaded to Firefox, causes Firefox to complain that some elements are non-secure. I checked the source code of the page and the list of resources of the page (Firefox displays the list of resources) - there are no http resources, only HTTPS ones are listed.
The question is - how do I diagnose, what resources (images or CSS or JavaScript) are loaded using HTTP and not HTTPS? I assume that some plugin is needed. Firebug doesn't have anything helpful, as it seems.
Update:
The mystery has been discovered. Under certain [rare] combination of conditions Facebook instead of providing a PNG image of the page statistics (embedded into the page) reports the error (some HTML via Javascript). As the original resource is a PNG, Firefox simply doesn't display that PNG, but seems to execute the javascript code, sent by Facebook. Obviously, this JavaScript could not be easily tracked as it was not being displayed or even mentioned anywhere (except maybe deep in the DOM inspector). Changing the conditions eliminated the erroneous javascript. However, the question regarding the tool that would help discover such "hidden" code and other resources remains actual.
More posts by @Odierno851
4 Comments
Sorted by latest first Latest Oldest Best
Grab the add-on Httpfox.
After the installation, restart the browser and you'll have a new icon in your status bar. Right-click it and choose "Open in a new window". In that way, you can maximize the window and get a faster overview of all URL's. Press Start and reload your page.
Alternatively, use the Web developer toolbar to get a list of all images, CSS and Javascript files.
Something like Fiddler should be able to catch all http related traffic between your browser and any web servers required to load a page.
You could try www.webpagetest.org/
Run your https URL through the site, then click on the 'waterfall view'. All resources loaded over https will display a padlock icon. Those loaded over http won't. Here's what the output for twitter.com looks like, for example:
Just view the source code and look for anything that is loaded with and not . Any basic text editor can do this quickly for you. Be sure to check
JavaScripts
Stylesheets
Images
Objects
Frames
update
Scripts and widgets from other sites like Facebook
Favicon
Make sure you manually check as Firefox may not be reporting all resources on the page. Just media.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.