Forces page to SSL, but not images/other elements on page

Permalink Browser Info Environment
I added this attribute to a page, and the page does successfully force to https:. But the page contains many insecure (unsecure?) items. For example, images in the theme folder and .css and .js files from an addon folder are all served from http:

For example, Firebug gives these 2 messages:

Loading mixed (insecure) display content on a secure page
"http://www.xxxxx.xxx/themes/xxx/images/header.bg.png"

Blocked loading mixed active content "http://www.xxxxx.xxx/packages/forms_with_paypal_payment/blocks/form_with_paypal_payment/jquery-ui-1.8.18.custom.css"

Is there something else I need to do to make sure all the content on the page is served from https:?

Otherwise, it doesn't really serve the purpose.

If anyone has encountered this previously and solved it, I would appreciate any help.

Thanks much!

Tim

Type: Discussion
Status: New
View Replies:
TNTdesign replied on at Permalink Reply
I would also like to know how to force all page elements to HTTPS, otherwise the page still appears to not be secure.
jbx replied on at Permalink Reply
jbx
You don't 'Force' all elements on a page to be secure. You code the site correctly to work on secure or non-secure pages. All limks should be relative links. External links can either use '//' as the protocol, or should detect the protocol and use the correct one.

ForceSSL cannot and does not address this issue. It is an issue for the developer to address.

However, having said all of that, if you send me a link to the site in question, I'll be happy to take a look and offer advice on how best to code the page in question.

Jon
TNTdesign replied on at Permalink Reply
Thanks. That makes sense. Right now we're not even able to test the Force SSL at all because when we turn it on, it's going to HTTP. Even if I type in HTTPS:// it changes it back to HTTP://. I uninstalled the Force SSL block yesterday to see what that would do and it stopped changing it to HTTP - I was able to type in HTTPS and it stay that way. Please let me know the best way to avoid it doing this. My site is in a sub directory right now for testing if that helps.
jbx replied on at Permalink Reply
jbx
Could you provide a URL and your environment info to help me debug?

Jon
TNTdesign replied on at Permalink Reply
Thanks. I just sent you a PM with that info.

concrete5 Environment Information

Browser User-Agent String

Hide Post Content

This will replace the post content with the message: "Content has been removed by an Administrator"

Hide Content

Request Refund

You have not specified a license for this support ticket. You must have a valid license assigned to a support ticket to request a refund.