Page trying to load scripts from unauthenticated sources

[DaleB]

Every time I visit the EAA forums, I get an "Insecure content blocked" message from Chrome, and the page loads as plain text with no images, theme, etc. I suspect it's complaining about this:

Code:

<script type="text/javascript" src="http://eaaforums.org/clientscript/vb...-core.js?v=424"></script>

If I tell it to load the unsafe scripts, the page looks normal but the URL bar tells me the site is not secure.

Am I the only one?

[cwilliamrose]

Firefox 59.0.3 is not giving me any problems with this site.

[DBurr]

No problems here with Chromium 66.0.3359.139 build on Linux. I suspect it has to do with the EAA site not using encryption with an HTTPS URL and associated certificate, and your browser set up to flag unencrypted websites.

[DaleB]

No problems here with Chromium 66.0.3359.139 build on Linux. I suspect it has to do with the EAA site not using encryption with an HTTPS URL and associated certificate, and your browser set up to flag unencrypted websites.

I think so too. Note that it's an HTTPS URL with a valid cert and encryption, but then it has a link to an unencrypted http URL to load some accursed Javascript. Odd that it just started doing this a week or two ago; it's a recent problem. Don't know if it was a change on the EAA side, or a Chrome update that did it.

[DBurr]

Are you running a developer version of Chrome? For better or worse, starting in July Chrome 68 will begin flagging all http: sites as insecure as part of Google's push for end-to-end web encryption:

https://techcrunch.com/2018/02/08/ch...as-not-secure/

There's a lot of web politics for and against this, but the end result is going to be a lot of web brokenness for a while as sites like this slowly get around to fixing all their issues--like the one you just found.

[DaleB]

Nope. Chrome 66.0.3359.139 (Official Build) (64-bit)

Personally, I think requiring SSL everywhere is ridiculous. Yes, if there's PII, passwords, account numbers, etc. in transit, then absolutely it's needed. But for the other 99.99% of the average person's web browsing, it's simply not.

Take for example vansaircraft.com, or fisherflying.com, or - well, take your pick. SSL serves no useful purpose. If you want to encrypt everything, great -- but it shouldn't be a requirement. I have a personal web page, running on my own server, that has absolutely no facility for anyone to provide any personal information. No accounts, no logins, no nothing. Why should I have to pay for SSL certs, just to make Google happy? I couldn't care less if Google is happy.

Rant off.