Support » Plugin: Autoptimize » https breaking – insecure stylesheet

  • Resolved bruciebonus

    (@bruciebonus)


    Hi,

    I noticed that my site had a message about my site wanting to load unsafe scripts. When I clicked it my https breaks, shifting from green to red. Forgive terminology but inexperienced with this sort of thing.

    I get the following message when I use chrome to inspect the pages. I contacted the theme developer but he says it’s not something at his end. He can only get it to go by deactivating autooptimise.

    Mixed Content: The page at ‘https://hastingsarrow.com/?p=71&preview=true’ was loaded over HTTPS, but requested an insecure stylesheet ‘http://fonts.googleapis.com/css?family=Noticia+Text|Open+Sans:800’. This content should also be served over HTTPS.
    ?p=71&preview=true:1 Mixed Content: The page at ‘https://hastingsarrow.com/?p=71&preview=true’ was loaded over HTTPS, but requested an insecure stylesheet ‘http://fonts.googleapis.com/css?family=Montserrat:400,700|Oxygen|Raleway’. This content should also be served over HTTPS.
    autoptimize_e6dfbf9….js:3 JQMIGRATE: Migrate is installed, version 1.4.1
    ?p=71&preview=true:1 Mixed Content: The page at ‘https://hastingsarrow.com/?p=71&preview=true’ was loaded over HTTPS, but requested an insecure stylesheet ‘http://fonts.googleapis.com/css?family=Noticia+Text|Open+Sans:800’. This content should also be served over HTTPS.
    ?p=71&preview=true:1 Mixed Content: The page at ‘https://hastingsarrow.com/?p=71&preview=true’ was loaded over HTTPS, but requested an insecure stylesheet ‘http://fonts.googleapis.com/css?family=Montserrat:400,700|Oxygen|Raleway’. This content should also be served over HTTPS.

    When I deactivate autooptimise, it resolves the warning issue although the https break in the dashboard that happened when I initially loaded the unsafe scripts, remains.

    I have checked all the settings and every entry of the web address is https, not http. I did update a while a month ago to https but haven’t had a problem before. Only after updating to the pro level of the theme.

    I tried searching through the forums but I could be staring the answer in the face and probably not realise it. Is this a case of excluding these fonts somewhere in autooptimise?

    Thanks.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author Frank Goossens

    (@futtta)

    well, autoptimize is off now, but there’s a lot or resources (css & js) that are not loaded because they’re on http, so something is seems wrong with your configuration (irrespective of AO being active or not). maybe install a plugin like https fixer or something along those lines?

    My mistake on wordpress version type. I’d assumed I had the latest version but realised I didn’t when it told me that it had auto-updated 30 minutes before.

    So this happened on 4.7.0 first.

    I just saw your reply after logging out.

    I went to my site and nothing was broken. I inspected the page and there were no messages. I clicked on a post and it broke and I saw the messages,though highlighted in red, rather than the usual yellow.

    I logged in. My site is now secure and the pages are all unbroken. I logged out and they are still unbroken. I have tried to break it again and can’t. If I reload autooptimise, I get the message hastingsarrow.com didn’t respond then return to the plugin page (guess that’s normal).

    If I now return to the page, I get the message regarding unsafe scripts. If I allow, the https breaks.

    • This reply was modified 8 months, 2 weeks ago by  bruciebonus.
    Plugin Author Frank Goossens

    (@futtta)

    tested again and can confirm the site breaks (without AO) when viewing HTTPS url in Firefox, as you can see in this webpagetest.org test. if you check in chrome, you’ll indeed see that a lot of resources are still loaded over HTTP as you can see in this webpagetest.org test.

    the mixed content problems with the fonts stem from the fact that the stylesheet of your theme (wp-content/themes/indiepro/style.css) hardcoded the Google Font URL’s to http:

    /*--------------------------------------------------------------
    2.0 Typography
    --------------------------------------------------------------*/
    @import url(http://fonts.googleapis.com/css?family=Noticia+Text|Open+Sans:800);
    @import url(http://fonts.googleapis.com/css?family=Montserrat:400,700|Oxygen|Raleway);

    this, I’m afraid, is not something AO can (or should) fix.

    frank

    Thank you for your quick and helpful response.

    I have tested some more, now I know what to do, and can see that testing the site is what breaks the site. I was just viewing it or inspecting it’s elements.

    I view site and it is fine. I run a speed test and it is broken and new instance of the site that I open up. I keep one tab of the site open and this never breaks, even when I refresh. But all tabs opened after running a test are broken. Bizarre and not your problem.

    Thanks again

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘https breaking – insecure stylesheet’ is closed to new replies.