Apple touch icon causes mixed content warning

robbie.morrison · February 25, 2019, 11:05am

Is this issue fully resolved? The reason I ask is that Firefox doesn’t seem to like the remote avatar images? If you go to this forum, you will see a little padlock + orange warning triangle in the URL bar. That site is self-hosted using a docker image and may well not be properly configured! Notwithstanding, the Firefox icon means “Connection is not secure: your connection is not private and information you share with the site could be used by others: this website contains content that is not secure (such as images)”. More info here. This warning icon only appeared recently, within the last few weeks, so I suspect it is connected with the default avatar issue documented being in this thread. Thanks as always to the dev team. HTH.

RGJ · February 25, 2019, 1:20pm

The reason for that mixed content warning does not have to do anything with avatars. It is caused by the apple touch icon being configured as an http URL instead of HTTPS: http://forum.openmod-initiative.org/images/default-apple-touch-icon.png

robbie.morrison · February 26, 2019, 3:51pm

@RGJ Thanks for the tip.

So I duly create a 144×144 px icon locally (the red square with some text) and add it to Settings > Required > apple touch icon.

So far so good although I don’t have an iPhone to test its use. But the Firefox URL bar warning icon persists. So I check the external URLs using View Page Info and find that Discourse has used http and not https. As shown:

In relation to this URL:

http://forum.openmod-initiative.org/uploads/default/original/1X/67b1970bdd4cea20e20c53bbbc74d86bbdee7a83.png

So is the use of http in this situation a bug in Discourse? Or is this correct behavior? Thanks again to the devs and TIA also.

This is not the only custom site-specific icon that is http if you look closely at the screenshot but it will quite usefully serve as our test case. The others were loaded at the time the site was established a couple of years back so they are not so informative.

RGJ · February 26, 2019, 4:20pm

Have you enabled the force_https site setting ?

robbie.morrison · February 26, 2019, 5:41pm

@RGJ Not yet. I will need to coordinate with the site owner first. For others visiting this thread, the dialog for that setting is shown below. Thanks for your help.

Stephen · February 26, 2019, 6:15pm

Force https rewrites http URLs to https. It’s mandatory for any site served with a certificate. If you hit any problems it can be disabled again from the console.

robbie.morrison · February 26, 2019, 6:29pm

@Stephen Thanks. I figured so. But I need to clear this with the “boss” first.

joebuhlig · February 26, 2019, 6:38pm

FWIW, you’ve already enabled https on the site. That’s why you can hit the homepage at https://. Turning on that setting simply tells Discourse that you did so and allows it to coordinate the URLs as needed.

RGJ · April 29, 2022, 9:09am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Mixed content for icon using http on https setup support	2	1392	May 10, 2019
Why is the Apple Touch Icon loaded via HTTP instead of HTTPS? support	29	4211	January 18, 2019
Https warnings in firefox installation	5	1290	March 17, 2019
Some sites are missing letter icons bug	6	1644	August 15, 2017
Regression? Apple touch instead of favicon displayed again as favicon (Firefox) ux	7	4933	October 7, 2016

Apple touch icon causes mixed content warning

Related Topics