goody-good opened a new issue, #1240: URL: https://github.com/apache/answer/issues/1240
# Mixed Content Security Issue ## Issue Description Security warning detected: Mixed Content loading blocked by browser The page `https://example.com:1340/users/xxxxx` is attempting to load resources over an insecure HTTP connection while the main page is served over HTTPS. Specifically: - Main page (secure): `https://example.com:1340/users/xxxxxxx` - Favicon (insecure): `http://ip:9080/uploads/branding/5xxxxxKE.png` ## Impact - Browser blocks the insecure resource loading - Favicon not displaying properly - Potential security vulnerabilities due to mixed content - Degraded user experience ## Steps to Reproduce 1. Deploy Answer Forum 2. Use Caddy to deploy Answer with HTTPS 3. Open browser developer tools (F12) 4. Check console for mixed content warnings ## Environment - Protocol: HTTPS - Resource Type: Favicon - Error Type: Mixed Content Blocking - Caddyfile ``` example.com:1340 { reverse_proxy 127.0.0.1:9080 tls { protocols tls1.2 tls1.3 } } ``` - docker-compose.yaml ``` version: "3.7" services: caddy: image: caddy restart: unless-stopped ports: - "1339:80" - "1340:443" - "1340:443/udp" volumes: - $PWD/Caddyfile:/etc/caddy/Caddyfile - $PWD/caddy_data:/data - $PWD/caddy_config:/config network_mode: host ``` ## Priority Medium - While not causing critical functionality issues, this should be addressed to ensure proper security standards and user experience. ## Labels - security - mixed-content - favicon - https -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
![[I] Favicon Mixed Content: The page at 'https://example.com:1340/users/xxx' was loaded over HTTPS, but requested an insecure favicon 'http://ip:9080/uploads/branding/5nPxxxxxE.png'. This request has been blocked; the content must be served over HTTPS. [answer]](/search?l=commits@answer.apache.org&q=subject:%22%5C%5BI%5C%5D+Favicon+Mixed+Content%5C%3A+The+page+at+%27https%5C%3A%5C%2F%5C%2Fexample.com%5C%3A1340%5C%2Fusers%5C%2Fxxx%27+was+loaded+over+HTTPS%2C+but+requested+an+insecure+favicon+%27http%5C%3A%5C%2F%5C%2Fip%5C%3A9080%5C%2Fuploads%5C%2Fbranding%5C%2F5nPxxxxxE.png%27.+This+request+has+been+blocked%3B+the+content+must+be+served+over+HTTPS.+%5C%5Banswer%5C%5D%22&o=newest){kind=link}
