Drupal insecure content

The OpenShift forums have been retired.
You can still read and search them, but for help, please post a question on Stack Overflow.

I have my OpenShift Drupal 7 app. It was working ok until stops reading js and css. The message says "insecure content from http...."

Any Ideas what's going on?

I forgot to tell you that the problems just happes with google chrome

Yep, chrome is good about warning you, you probably have some asset being loaded over http when you are visiting the page over https

view source on the page and do a search for "http" and look for any images or css that is loading over http instead of using a relative url.

Thanks a lot

Could this happen because I upgraded the Drupal Core to the late version?

Not sure what changes they made, I'm not a Drupal guy :)

I faced with the same with js and css in chrome.

Is there a way to remove force ssl on my openshift app?

You can try using this FAQ: How to redirect traffic to https. Let us know how it goes.

My guess is: My app was running ok using 7.18 core. I read about a security upgrade about injection. So I upgrated to 7.19 core. And the problem started. I'm going to change back the core to 7,18.

@interintrait, Thanks for the details!

I experienced this on a newly created Drupal app. I followed the OpenShift instructions to create a Drupal application, and when I went to the application URL I was disappointed. I got to the login page successfully, but there wasn't the standard Drupal admin theme nor dynamic admin interface behavior, that you would always see on a standard manual install. At first I thought it was a permissions issue, but after a bit of digging around, I checked the Inspector and realized that the .css and .js files were being blocked by Chrome and Chromium (but not by Safari, Firefox, or Opera).

I resolved this by simply going to the settings.php file and setting the $base_url to use https.

$base_url = 'https://myApplicationUrl';

To the folks in OpenShift Product Marketing:

I had no idea that OpenShift was enabling SSL by default for all Drupal (and all other?) apps. Normally, this is an optional step, at least on other hosting systems (and some folks even charge for it). I didn't see this in the instructions. But I like that OpenShift is bundling it in though. :-) However,

a. it is not a good first impression for things to not "just work" out of the box on a newly provisioned application, without even the slightest user customization. From my perspective, this suggests that this basic use case was not tested, yet the invitation to encounter it is out there in the wild.

b. you can have this working out of the box by simply modifying your build scripts to set the $base_url during provisioning.

I hope this helps folks who might otherwise dismiss OpenShift because "they can't even install and configure Drupal" properly.

Derek

Thanks for the feedback Derek. Due to a bug, Chrome browser would redirect http requests to https automatically. This should be fixed in Chrome26+

Thanks Sumana, for pointing to the Chrome bug.

Nevertheless, if it is true that OpenShift enables SSL by default as I saw here:

https://www.openshift.com/kb/kb-e1044-how-to-redirect-traffic-to-https

then informing the OpenShift user upfront (in the app creation wizard) that this is so will help them to understand the environment they will be in, and allow then to make the necessary adjustments to take advantage of that environment. I don't believe that Drupal 7 out-of-the-box is configured to use mixed HTTP/HTTPS nor HTTPS-only environments. Deliberate changes are necessary to do so. This post talks about this:

http://drupal.org/https-information

So I'll still hold OpenShift to the high expectations of either telling me that you're going to put my app into an env that has SSL enabled (promote your differentiators :-) and that it's up to me to configure my app to use or not it, or automatically configuring the app to use SSL and telling me that you've done so (and for my own benefit) and that it's up to me to make the necessary adjustments to put the app into an insecure mode. ;-)

Best,

Derek

Thank you for your feedback Derek! Here's the bug report: https://bugzilla.redhat.com/show_bug.cgi?id=924883
Looking forward to the fix. Also looking forward to Chrome 26 since users want better control over when to use non-secure vs secure connections to apps. And of course developers wanting better control of supporting the same.

Thanks for the follow through Nam! I like the direction of OpenShift. And I like the responsiveness of the team so far.

Derek solution worked for me as well. Thanks.