Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Page trying to load scripts from unauthenticated sources

  1. #1
    DaleB's Avatar
    Join Date
    Sep 2015
    Location
    KMLE
    Posts
    423

    Page trying to load scripts from unauthenticated sources

    Every time I visit the EAA forums, I get an "Insecure content blocked" message from Chrome, and the page loads as plain text with no images, theme, etc. I suspect it's complaining about this:

    Code:
    <script type="text/javascript" src="http://eaaforums.org/clientscript/vb...-core.js?v=424"></script>
    Name:  plaintext.jpg
Views: 125
Size:  11.0 KB
    If I tell it to load the unsafe scripts, the page looks normal but the URL bar tells me the site is not secure.
    Name:  insecure.png
Views: 129
Size:  8.5 KB
    Am I the only one?
    Last edited by DaleB; 05-04-2018 at 05:08 PM.
    Measure twice, cut once...
    scratch head, shrug, shim to fit.

  2. #2
    cwilliamrose's Avatar
    Join Date
    Nov 2013
    Location
    SW Florida
    Posts
    125
    Firefox 59.0.3 is not giving me any problems with this site.

  3. #3
    DBurr's Avatar
    Join Date
    Aug 2011
    Posts
    9
    No problems here with Chromium 66.0.3359.139 build on Linux. I suspect it has to do with the EAA site not using encryption with an HTTPS URL and associated certificate, and your browser set up to flag unencrypted websites.

  4. #4
    DaleB's Avatar
    Join Date
    Sep 2015
    Location
    KMLE
    Posts
    423
    Quote Originally Posted by DBurr View Post
    No problems here with Chromium 66.0.3359.139 build on Linux. I suspect it has to do with the EAA site not using encryption with an HTTPS URL and associated certificate, and your browser set up to flag unencrypted websites.
    I think so too. Note that it's an HTTPS URL with a valid cert and encryption, but then it has a link to an unencrypted http URL to load some accursed Javascript. Odd that it just started doing this a week or two ago; it's a recent problem. Don't know if it was a change on the EAA side, or a Chrome update that did it.
    Measure twice, cut once...
    scratch head, shrug, shim to fit.

  5. #5
    DBurr's Avatar
    Join Date
    Aug 2011
    Posts
    9
    Are you running a developer version of Chrome? For better or worse, starting in July Chrome 68 will begin flagging all http: sites as insecure as part of Google's push for end-to-end web encryption:

    https://techcrunch.com/2018/02/08/ch...as-not-secure/

    There's a lot of web politics for and against this, but the end result is going to be a lot of web brokenness for a while as sites like this slowly get around to fixing all their issues--like the one you just found.

  6. #6
    DaleB's Avatar
    Join Date
    Sep 2015
    Location
    KMLE
    Posts
    423
    Nope. Chrome 66.0.3359.139 (Official Build) (64-bit)

    Personally, I think requiring SSL everywhere is ridiculous. Yes, if there's PII, passwords, account numbers, etc. in transit, then absolutely it's needed. But for the other 99.99% of the average person's web browsing, it's simply not.

    Take for example vansaircraft.com, or fisherflying.com, or - well, take your pick. SSL serves no useful purpose. If you want to encrypt everything, great -- but it shouldn't be a requirement. I have a personal web page, running on my own server, that has absolutely no facility for anyone to provide any personal information. No accounts, no logins, no nothing. Why should I have to pay for SSL certs, just to make Google happy? I couldn't care less if Google is happy.

    Rant off.
    Measure twice, cut once...
    scratch head, shrug, shim to fit.

  7. #7
    DBurr's Avatar
    Join Date
    Aug 2011
    Posts
    9
    Preaching to the choir Not sure why my personal build-log website composed entirely of static pages needs an SSL certificate, but apparently it does or I'm flagged as a miscreant.

  8. #8
    DaleB's Avatar
    Join Date
    Sep 2015
    Location
    KMLE
    Posts
    423
    Interested to hear from someone on the EAA side -- do you guys have any plans to fix this? It looks like just a matter of having a non-SSL URL calling scripts in an SSL page.It's a little annoying to have to load scripts manually every time the page loads.
    Measure twice, cut once...
    scratch head, shrug, shim to fit.

  9. #9
    EAA Staff / Moderator
    Join Date
    Jun 2017
    Posts
    38
    Hi Dale,

    At this point, we're not experiencing any issues with the problem you described. I am also running the Forums page on Chrome and it seems to be working fine. If we plan on making any changes to the Forums website, we'll let you know.

    Thanks.

  10. #10
    FlyingRon's Avatar
    Join Date
    Aug 2011
    Location
    NC26 (Catawba, NC)
    Posts
    1,973
    I'm sorry, Sam. But it is indeed broken NOW and on nearly every page of the site. Chrome marks these pages as unsafe. There are a few URLs that have "HTTP:" hardcoded in them in the protocol, both icons (which will also annoy Chrome's security sensibility) but also some of the scripts such as this line:

    <script type="text/javascript" src="http://eaaforums.org/clientscript/vb...-core.js?v=424"></script>



Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •