Items outside of SSL in SSL Site
Posted: 22 April 2011 04:44 PM   [ Ignore ]
Wallflower
Rank
Total Posts:  17
Joined  2011-02-04

Hi, All,

We just added added SSL to a site that’s just about ready to open. It is where we’ve developed the safecracker forms the customers will be using. This is one of 3 sites of a MSM cluster. Only this one has the SSL. I went through and added both secure_return=“yes” and secure_action=“yes” (assuming I needed to do that, just in case) to all the safecracker tags… but that’s not the reason for my post.

The “main” site, where the EE files are, does not have SSL.

The browsers are throwing tizzy fits because there is theme data (images) as well javascript in folders that are not in the same location as the SSL.  The messages would make any future customer run away and hide from us, because it makes it sound like the boogeyman is hiding in their computer, ready to snatch their most personal data off their computer.

I know what it needs to stop throwing the messages: it needs the datepicker calendar css/images/js, P&T pill field css/images/js, and the rest of the third-party fields, etc., to be in the same path as the SSL, which they aren’t now (because that isn’t where the EE files are).

Have you come across this and do you have any suggestions for getting around it?  I haven’t tried it yet, but would putting a copy of the themes in this path and then setting some sort of override for “THEME_URL” and “PATH_CP_GBL_IMG” work? I wouldn’t know what kind of override to set, which is why I haven’t tried it.

Help would be most appreciated or Scotch.

Profile
 
 
Posted: 22 April 2011 06:07 PM   [ Ignore ]   [ # 1 ]
Absolute Heartthrob!
Avatar
RankRankRankRankRank
Total Posts:  10369
Joined  2008-09-29

Any embedded file must be linked using HTTPS, that includes images, JS, css. Keep an eye out for 3rd party scripts like Google Analytics too. That’s the long and short of it. So if you’re pulling files from another URL, you still can, but they’ll have to be pulled using HTTPS. If the site you’re pulling from doesn’t have SSL, then you can’t pull from it, you’ll have to duplicate the files on your own site, and call them using HTTPS.

Some people create additional global variables just for HTTPS pages: https_site_url, https_images_folder, etc. If the entire site is https though, it’s easier… you just set the site_url in the prefs as https://yoursite.com/etc

 Signature 
Profile
 
 
Posted: 22 April 2011 10:44 PM   [ Ignore ]   [ # 2 ]
Wallflower
Rank
Total Posts:  17
Joined  2011-02-04

I’m talking about the main stuff, not anything extra. This is a Multiple Site Manager site and this is not the “main” site. The themes folder for the site isn’t SSL. Engine hosting only allows one quick SSL per domain. That would mean, if I’m understanding what you’re saying, that the main themes folder for the site could not be anywhere except on this sub domain/sub-folder? It could no longer be where the main files are located for the site?

Profile
 
 
Posted: 22 April 2011 10:55 PM   [ Ignore ]   [ # 3 ]
Absolute Heartthrob!
Avatar
RankRankRankRankRank
Total Posts:  10369
Joined  2008-09-29

MSM and your hosting company are irrelevant to the problem.

Regardless of where your files are stored, they need to be pulled using an HTTPS connection. Whether its’ google, or a subdomain, or your current site… any embeds on a secure page ALSO have to be secured. You only need on SSL per domain.. but any domain that’s connected to using an HTTPS connection needs to have an SSL cert. So either

1. Move files to where they can be access using a secure connection

or
2. Add an SSL to any unsecured domains.

 Signature 
Profile
 
 
Posted: 23 April 2011 03:26 AM   [ Ignore ]   [ # 4 ]
Wallflower
Rank
Total Posts:  17
Joined  2011-02-04

Moving the main themes folder did the trick.

Thanks, Chris.

If the entire domain is SSL, is it necessary to add: secure_return=â??yesâ? and secure_action=â??yesâ? ?

[ Edited: 23 April 2011 03:31 AM by Connie ]
Profile