Mixed content error during auth process

Razor · April 6, 2018, 7:26am

Hello,
I have a problem with serving manifest.json with nginx. Tutorial app served with webpack dev server on localhost:8080 works fine, while file served from nginx gets error:

Mixed Content: The page at ‘https://browser.blockstack.org/auth?authRequest=…’ was loaded over HTTPS, but requested an insecure resource ‘http://toolw.local/static/json/manifest.json’. This request has been blocked; the content must be served over HTTPS.

Error happens here:
proxyFetchForSomeHosts(url, options)

Headers for my manifest file are as follows:

Accept-Ranges: bytes
Access-Control-Allow-Headers: X-Requested-With, content-type, Authorization
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS
Access-Control-Allow-Origin: *
Cache-Control: max-age=1
Cache-Control: no-cache
Connection: keep-alive
Content-Length: 194
Content-Type: application/json
Date: Fri, 06 Apr 2018 07:11:10 GMT
ETag: "5ac66e21-c2"
Expires: Fri, 06 Apr 2018 07:11:11 GMT
Last-Modified: Thu, 05 Apr 2018 18:42:41 GMT
Server: nginx/1.10.3

I’ve tried to play with Content-Security-Policy in nginx, but with no effort. Could you please advice something?

vsund · April 6, 2018, 10:27am

I’m pretty sure this is due to protection measures the common browsers take to protect the users. The request is initiated from a secure resource (https://browser.blockstack.org) and goes to an insecure one (http://toolw.local). The common browsers block these requests as an attacker might be able to sneak some content into an https requests without permission.

Your app at localhost works because the browsers consider requests to localhost as secure independently from the use of http or https.

I think the only options you have is to either move your app to a resource that can handle https requests or wrapping it into a service that adds https (which you obviously should only consider when doing some testing ).

Razor · April 6, 2018, 10:31am

Yeah, thanks. Didn’t know that localhost is not a subject to this policy. I will just proxy https requests to http on my local environments, think it will work.

Razor · April 6, 2018, 10:55am

Problem solved setting up local domain with ssl support in nginx, and making auth requests with https scheme.