Mixed content warning on all HTTPS pages for homepage

[aliaspt]

Hi guys,

I was able to fix the blocksearch related issue on HTTPS pages but I haven't found how to fix the warning related to the home page. Chrome dev tools show this:

 

Mixed Content: The page at 'https://domain.com/contact-us' was loaded over a secure connection, but contains a form which targets an insecure endpoint 'http:/domain.com/'. This endpoint should be made available over a secure connection.

 

Any advice please? Thank you in advance.

Edited July 7, 2015 by aliaspt (see edit history)

[bellini13]

view the source of the contact-us page and locate the form that is using http instead of https

[vekia]

check your page with https://www.whynopadlock.com/

you will see files that arent loaded via secured protocol

[bellini13]

its not a file that is being loaded, its a form whose action is not secure.  does that website detect insecure form actions?

Edited July 8, 2015 by bellini13 (see edit history)

[vekia]

yes it does, whynopadlock detects all things that can remove green padlock from address bar 

[aliaspt]

view the source of the contact-us page and locate the form that is using http instead of https

When I view the source of the page, there are plenty of links with http, such as the product in the shopping cart, all categories and subcategories, brands, social media links, etc. Am I looking at the wrong stuff? I get the mixed content error for the home page only.

 

Thank you.

[aliaspt]

vekia, I have done that on whynopadlock.com and it showed the following:

 

Insecure <form> call.
Found on line # 1 in file: mydomain.com/contact-us

(Note: Chrome will show a security error for any secure page with an insecure <form> call on the page)

 

I am not entirely sure what it means or how to fix it.

 

Thank you.

 

check your page with https://www.whynopadlock.com/

you will see files that arent loaded via secured protocol

[aliaspt]

I should probably mention that the insecure <form> call is always on line #1 for all the https pages I've checked on whynopadlock.com.

[vekia]

so you haven't got green padlock only on contact-us page?

[aliaspt]

so you haven't got green padlock only on contact-us page?

 

The contact page was just an example. Like the title says, it is an issue on ALL HTTPS pages.

[vekia]

but the issue reported by whynopadlock everywhere is the same ?

it's important

 

what appears there if you check homepage of your shop?

[aliaspt]

but the issue reported by whynopadlock everywhere is the same ?

it's important

 

what appears there if you check homepage of your shop?

 

The home page is not https and it gets redirected to http when tested on whynopadlock.

 

I've checked /contact-us, /quick-order, /my-account, /order-history, /identity (i.e., pretty much all HTTPS pages), and they all give the same error on whynopadlock:

Insecure <form> call.

Found on line # 1

 

And Chrome dev tools show:

Mixed Content: The page at 'https://mydomain.com/----' was loaded over a secure connection, but contains a form which targets an insecure endpoint 'http://mydomain.com/'. This endpoint should be made available over a secure connection.

 

Thank you.

[bellini13]

as I said already, view the source of the contact-us page.  search for <form or action and you will find an insecure UTL there.  it may not start with http or https if it is a relative path

 

its going to look something like this

<form action="/some/insecure/url" >

[aliaspt]

 

as I said already, view the source of the contact-us page.  search for <form or action and you will find an insecure UTL there.  it may not start with http or https if it is a relative path

 

its going to look something like this

<form action="/some/insecure/url" >

 

By the source, do you mean right click on the page in a browser and view source or look at the code somewhere?

Thank you.

[aliaspt]

 

as I said already, view the source of the contact-us page.  search for <form or action and you will find an insecure UTL there.  it may not start with http or https if it is a relative path

 

its going to look something like this

<form action="/some/insecure/url" >

 

Hey, I think I found it. It appears to be related to the newsletter block.

[aliaspt]

The solution I found here (https://github.com/PrestaShop/PrestaShop/commit/15818a849ab1e93222d2b26d52e03777cd7362f6) suggests adding both "false" and "true" to the form action line, but on the forums they suggest adding "true" only. Which is the proper version?

 

Edit: I've added "true" to the line and now I get a green padlock in Chrome.

 

Thank you, bellini13!

Edited July 10, 2015 by aliaspt (see edit history)