Links to Amazon cause a TLS mixed content warning


(Vinzent Steinberg) #1

Linking to Amazon in a topic causes a mixed content warning when using https, presumably because the thumbnail is loaded from a third party over http.

Would it be possible to load the thumbnail using https instead?


Oneboxed http link causes a TLS mixed content warning
(Wes Osborn) #2

Do you have a public forum? If so, can you provide a link to an article that displays the TLS mixed content issue?

I assume you’re using Amazon for your CDN? Or are you hosting your entire instance out there?


(Vinzent Steinberg) #3

Unfortunately the forum is not public. I’m not using Amazon for hosting, I get this is issue when linking to a book on Amazon, like this:

http://www.amazon.com/Computer-Programming-Volumes-1-4A-Boxed/dp/0321751043/ref=sr_1_1?ie=UTF8&qid=1452526990&sr=8-1&keywords=art+of+programming

Now you should get a warning when reading this topic, if you click at the place where normally the padlock is.


(Gerhard Schlager) #4

This is a known problem.


(Wes Osborn) #5

Ahh, this is a oneboxing issue then and I don’t think there is an easy fix.

For example if you go to: https://www.amazon.com/gp/product/0321751043?amp%3Bkeywords=art%20of%20programming&amp%3Bqid=1452526990&amp%3Bsr=8-1&ref_=sr_1_1

You’ll notice that it redirects to you HTTP, so I would say that site-wide HTTPS is not possible with Amazon at the moment. Which means the oneboxing code wouldn’t be able to pull in the HTTPS data from Amazon when your page loads.

One work-around is to use the method here:

That thread references a feature request to store the images locally instead of pulling them “in real time” from the oneboxed site:


(Vinzent Steinberg) #6

This is not really a workaround, because it is not enforceable. A workaround would be disabling oneboxes for non-https content.