MyBB Community Forums

MyBB Community Forums > 1.8 Support > General Support > Mixed content is causing bad display on Chrome
Full Version: Mixed content is causing bad display on Chrome
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

jeremypool

2020-08-02, 06:50 PM
I have recently upgraded from 1.6.10 to 1.8.23, hoping to get rid of an annoying "mixed content" error behavior when viewing my forum using Chrome. 

The forum is www.maprecord.com/forum.

Themes are not being used when viewing the site with Chrome (no problems with Firefox, Safari, Edge or IE), and the Chrome debugger shows that the problem is due to the use of "mixed content": An attempt to access an insecure (http://) URL from a secure (https://) page.  This occurs even if I go to the forum URL using the insecure form: http://www.maprecord.com/forum

I have attached some of the error messages from the Chrome debugging window, as well as screen shots of the site seen in Chrome (bad) and seen in Firefox (good).

I have searched through the 1.8.23 sources but can find no hard-coded http:// addresses, so it feels like these are being constructed on-the-fly on the server side?

KevinVR

2020-08-02, 07:06 PM
This seems like a configuration issue. Are you sure the board URL in the site settings of the admin panel is set to https://
Nowhere else with http://?

If so, can you also double check inc/config.php (although you shouldn't change this file directly), you could search for http:// and find out where it comes from.

Other than that, possibly it could be a theme issue -- but highly likely it's one of the above instead of this Smile.

jeremypool

2020-08-02, 08:00 PM
The board URL (as well as the homepage URL) in the admin site settings uses http://, not https://

So I don't understand why Chrome is seeing any part of the page as in secure (https) mode, particularly even in the case where the URL I explicitly type into the browser's address bar is http://www.maprecord.com/forum.

I looked into inc/config.php, and the only http:// found there is in comments (and there are no https:// occurrences there).

I looked into the themes folder, too, and only see individual theme folders (theme1, theme2, etc.) that themselves contains just css files with no http:// elements in them.

Devilshakerz

2020-08-02, 08:24 PM
The website responds with a Strict-Transport-Security header (that may be included in your configuration files), instructing browsers to only use HTTPS. It's ignored when visiting using http://, but once it's encountered during a https:// visit, the directive is cached (~2 years in this case) and all future requests are redirected to https://.

We recommend to switch to HTTPS one way or another: https://docs.mybb.com/1.8/administration...ity/https/

jeremypool

2020-08-02, 08:33 PM
(2020-08-02, 08:00 PM)jeremypool Wrote: [ -> ]The board URL (as well as the homepage URL) in the admin site settings uses http://, not https://

But some more searching indicates that Chrome looks up URLs from your searching history, and if you had ever used https:// with an address, then Chrome will force it to secure mode again, even if you type in http://!  If you clear your browsing history, then type in the URL (either with http:// or with no protocol name at all), then Chrome will not use the secure protocol, and everything displays fine.  This can also be tested out with a Chrome incognito window (which doesn't use the browser history to choose the protocol). This, too, produces good output with no mixed content errors.

So, in the end, there appears to be nothing wrong with my forum configuration, but I (and my customers) need to be a little careful when using Chrome to visit the forum.
Thanks to Devilshakerz for that information and the pointer to the support page about this issue.  I should convert the forum to use https.
My forum is hosted on A2 Hosting, a well-known, widely used web host provider that, of course, supports secure (https) connections.  The problem I raised was due entirely to my configuration, which specified, as its Board URL configuration, http://www.maprecord.com/forum.  When a client specifies the secure form of the forum address (https://www.maprecord.com/forum) in their browser, then the initial web page is served up securely, but javascript and css files used to construct the response are put together by the MyBB php code concatenating the Board URL setting with a particular js or css file.  In my case this resulted in a non-secure URL (e.g. http://www.maprecord/com/forum/jscripts/general.js), at which point Chrome noticed the case of a secure page (https://www.maprecord.com/forum) referencing an insecure URL, and stopped the normal processing due to this "mixed content" error.

So my problem would have been entirely solved by simply setting the Board URL configuration specify the URL beginning with https:// rather than with http://.

A suggestion to the MyBB maintainers: Modify the help comment for the Board URL setting to indicate that the specified value should begin with http:// or https://.  Here is the current presentation of the Board URL setting and its help content:
[attachment=43155]
MyBB Community Forums > 1.8 Support > General Support > Mixed content is causing bad display on Chrome