Allowing issues while forcing SSL for all

Home/Design Common Sense / Allowing issues while forcing SSL for all
November 16, 2018
by
in Design Common Sense, Security

<RANT>

Working on a freelance site, a basic WP template install and content massage. Been working on it for multiple weeks, not because it is a difficult site but the normal ebb and flow of content, added requests, and similar from the client as all of us in this space are used to.

Anyhow, I am also hosting it on my DV server but couldn’t work on it via their container I set up, or rather didnt want to using the IP tilda my domain nonsense that makes its tough for DB related work and the potential migrations etc, so I worked it on my clients subdomain which is not secured, ie  no SSL.

Long story short, after the long and painful migration of many GBs of data, migrating the DB, finally feeling good enough to point their DNS to my server, setting up the SSL that I was not able to set until the DNS was pointed correctly, I began testing the site running within the new container knowing there would be the normal missed links and image paths that needed quick adjustments.

I worked through all of those and then at 2:30 something am and clicking around every page to make sure I didnt miss anything (and probably still have and will solve over the next few days) I clicked on a youtube video, loaded through a WP plugin to find it not working. I checked the link recalling issues with it initially in dev and after a few minutes, tired and not seeing or thinking straight I finally looked at the code via inspector and console to find that youtube is returning an iframe to the page and the problem was then immediately obvious. Even though it is an iframe and my imputed URL has https:// youtube is sending back http:// content.

How can this be I ask myself, and back to the post title with Chrome (a Google Product) and others more or less forcing us all to SSL land for even basic non commerce sites which really have no need for an SSL by telling users our sites are not secure even if zero risk making them weary to even click into the site on stay on the page they’ve hit. Yes I get hacking and blah blah blah but most everyday small business sites and blogs are not doing anything malicious or truly require an SSL.

So the real question is why the EXPLETIVE would Google who also owns YouTube allow their returned iframe even when requested via https:// come back an http:// thus not rendering and in some browsers break you SSL secure page for mixed content, all the while they are forcing us to use SSL and https:// on even basic content and blog type sites.

Anyways… After over an hour researching only to find many many people complaining about it, back to 2014 if not earlier even, the solution was not forthcoming. Updating directives in apache beingone option, many examples on changing https:// to http:// via htaccess, but if you are like me, a creative with some code skills, even if somewhat advanced for a creative, aren’t a server admin or a regular expression master you cannot solve this in those manner, none of the examples are helpful including the many from the WP bloggers with ridiculous blog names (I won’t mention but silly really).

I finally came to the answer on stack exchange (https://stackoverflow.com/questions/18327314/how-to-allow-http-content-within-an-iframe-on-a-https-site) from user user2523022 which is hilarious in its self.

Adding this simple meta tag below within the <head> tag solved my issues, and only took me an hour and half to locate, mind you it was NOT on a YouTube or Google documentation site, was NOT on any of the ridiculously named supposedly WP expert blog sites but here it is:


<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">

</RANT>

No Comments on This Post

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Comments
    Hello! My name is James Einspahr and I’m a Creative Director & Digital Strategist based in Denver, Colorado