Guest
home
beatmaps
rankings
community
store
help
forum
  1. Forums
  2. osu!
  3. Help
  4. Confirmed Issues

[confirmed] [web] https mixed content-warning

posted
Total Posts
11
oliebol
32 posts
Joined June 2013
Topic Starter
oliebol
When I browse the osu!-website a little shield-icon is shown in the address-bar of google chrome, and in the console a error-message pops up about https mixed content. In short: somewhere the script 'http://cse.google.com/coop/cse/brand' is used, which raises the error cause the page itself is loaded with https and that script isn't.

As for a screenshot (dunno if needed, but whatever) I'll just use the current page I'm looking at now:

I know I have waay to many google chrome plugins....

I know it's not really a big deal. It doesn't break anything. But its one of those little things I just have to say something about.. I'm sorry :oops: (and imo it just looks better if there is no such warning :P)
Renevant
894 posts
Joined July 2013
Renevant
So you're referring to this: https://support.google.com/chrome/answer/1342714?hl=en
Right?
oliebol
32 posts
Joined June 2013
Topic Starter
oliebol
basically yes
Wingman626
279 posts
Joined November 2011
Wingman626

oliebol wrote:

When I browse the osu!-website a little shield-icon is shown in the address-bar of google chrome, and in the console a error-message pops up about https mixed content. In short: somewhere the script 'http://cse.google.com/coop/cse/brand' is used, which raises the error cause the page itself is loaded with https and that script isn't.

As for a screenshot (dunno if needed, but whatever) I'll just use the current page I'm looking at now:

I know I have waay to many google chrome plugins....

I know it's not really a big deal. It doesn't break anything. But its one of those little things I just have to say something about.. I'm sorry :oops: (and imo it just looks better if there is no such warning :P)

i don't see how this is a problem? (unless you were connecting to a shady site of course)

i mean i do understand when things like this kind of make you think about whats being loaded and such (or maybe thats just me and my OCD, i dont know for sure)

but that error is not a problem.

let me put it in lamence terms:

the website you are connecting to, obviously osu.ppy.sh is using a secure connection to deliver you unto this website (hence the tag "HTTPS" at the beginning of url).

if you click the "LOCK" icon before the url and you click on the connection tab, itll show you the certificate, who issued the certificate, and the type of encryption the website uses.

now, back to the error. the reason for the error? well since everything is loaded through a secure connection, the script is trying to load something that is not from a secured source, so this spits out an error (hence the description in the console: "This request has been blocked; the content must be served over HTTPS.")

imagine it this way
its kind of like this. if you've been buying cars throughout your life from a trusted dealer, and then the dealer tries to reel you in to buy that car thats been sitting in the back that looks like its run down (but actually could be running fine) would you buy it and take it home? well that common sense can be related to this.
oliebol
32 posts
Joined June 2013
Topic Starter
oliebol
I know its not really a problem (trust me, I know how http/https/ssl/certificate stuff works, I run a web-server myself). Hence the last sentence of my post. Its just that imo this feels ugly.

I'll put a little story here: the company I'm currently working at (they build web-based software and host them) had the same problem last week in one of there products, and it ended up pretty high on the agenda to fix that. I cannot really explain. It's merely a feeling. I know I'm making an issue that doesn't really exist.

Lets put it this way: I'm a random guy who sometimes makes nitpicking-commends that I just have a nagging feeling about..

Im sorry.. :oops:
Wingman626
279 posts
Joined November 2011
Wingman626

oliebol wrote:

I know its not really a problem (trust me, I know how http/https/ssl/certificate stuff works, I run a web-server myself). Hence the last sentence of my post. Its just that imo this feels ugly.

I'll put a little story here: the company I'm currently working at (they build web-based software and host them) had the same problem last week in one of there products, and it ended up pretty high on the agenda to fix that. I cannot really explain. It's merely a feeling. I know I'm making an issue that doesn't really exist.

Lets put it this way: I'm a random guy who sometimes makes nitpicking-commends that I just have a nagging feeling about..

Im sorry.. :oops:

ok, i can kind of see where your coming from.

im not really sure if the unloaded script is exploitable in anyway or form (i wouldn't want to find out anyway). it just looks like a css/html script for visuals (font types, colors, "parent and child nodes"; it looks like its a script for 'appName == 'Microsoft Internet Explorer'..... ewww)

but i can understand the concern, and just because something doesn't look like anything at all, doesn't mean its not capable of harboring something negative.
if you do have a gut feeling about this, i suppose there wouldn't be any harm in letting peppy know.
Eni
1,437 posts
Joined May 2013
Eni
This is happening because someone placed a top-level reference to Google's CSE.

$.getScript('//www.google.com/coop/cse/brand?form=cse-search-box&lang=en');

This will result in a 302 to a default http:// connection.

Best to explicitly declare a connection to the new sub-domain instead.

$.getScript('//cse.google.com/coop/cse/brand?form=cse-search-box&lang=en');
oliebol
32 posts
Joined June 2013
Topic Starter
oliebol
waaaaaait, whut, *quickly checks*
wow, ok, this is a first for me: an https-request that serves a redirect to an http-request... GOOGLE PLZ go home ur drunk.. *facepalm*
Oh and I also noticed that with that redirect all the GET-parameters got lost, so the resulting script probably doesnt even work... (heck, it isnt even working now, cause the request is blocked by Google Chrome cause of the http-script on https-page thing, dunno about other browsers)

Ok, so basically google has to fix their redirect-stuff, cause this is retarded...
In the meantime it's probably better to do what Project Railgun sugested: just request the script on its actual location. (yay, saves a request, hueueueue :P)

[quote=wingman626]if you do have a gut feeling about this, i suppose there wouldn't be any harm in letting peppy know.[/quote]
I thought i would by posting this stuff here..
[Kitty]
27 posts
Joined June 2011
[Kitty]
Problem Details:
On the osu! website, in Google Chrome, an icon is displayed in the right hand corner of the address bar indicating that insecure scripts have been loaded on the page.
This is due to a script that is loaded for the Google custom search engine that is used on the site, next to the "User" and "Beatmap" search bars at the top.
It would seem that it is actually Google's fault, being that Google returns an HTTP 302 redirecting to a non-ssl site, but none-the-less, it still causes a warning to appear, which may make some people slightly distraught with the security of the site.
Googling the issue has turned up an answer which recommends to copy the script and host it on a secure server.


Video or screenshot showing the problem:
SPOILER

osu! version: 20150414.2 (latest)
Last edited by VeilStar , edited 1 time in total.
Arnold0
1,675 posts
Joined February 2012
Arnold0
I can confirm, I can easily see it when I go to the site with Chrome on my phone as the SSL icon is orange insted of green and it says something like
"Your connection to osu.ppy.sh is secured with modern encryption technology. However this page include other resources which are not secured. etc..."

The WiKi have similar errors due to images :
VeilStar
osu! Alumni
4,773 posts
Joined April 2014
VeilStar
(Merged threads.)

Fixed on the main website.
It still happens on the wiki though (due to images). Links would have to be fixed/replaced there.

Leaving this thread here for now.

Edit; Confirming & moving to low priority.
Please sign in to reply.

New reply

0
1 / 11