script won't run in firefox but does in IE, chrome and safari
i have a landing page with a web form script, www.wholewoman.com/newpages/landing/helpforcystocele.html. the script does not show up in firefox. further, none of our videos (served from kaltura (CDN) show up in firefox. nor does the registration script for our drupal forum. the good news is there are a lot of firefox users in the world. the bad news is that none of them can opt into my list, watch my videos or register for my forum. help!
Chosen solution
With a .html page, it's impossible to include HTTP headers in the page. It would have to be in a configuration file external to the page (unless you have a very unusual configuration on your server).
On an Apache server, headers sometimes are set in a .htaccess file in the root of your site. If you are viewing the site in an FTP program or extension, make sure hidden files are displayed.
Read this answer in context 👍 1All Replies (19)
Which script are you referring to?
I notice that one of the scripts is send as text/html
that is the webform which is served by infusionsoft. for some reason, it doesn't show up in firefox although other browsers display it fine. any thoughts or suggestions would be most appreciated!
The Error Console has this curious message:
CSP WARN: Directive default-src http://wholewoman.com:80 violated by https://wholewoman.infusionsoft.com/app/form/iframe/da49db6629f57f3996bddf2b531f03ca
When I look at the HTTP headers for your page, it has this custom header (see attached):
x-content-security-policy:allow 'self';
Firefox apparently interprets this to block the script from the infusionsoft.com URL.
I'm not sure how that header is being added. It could be part of a set of protections against cross-site scripting (XSS) or cross-site request forgery (CSRF) attacks in your server control panel or CMS or in a plugin.
great...thanks. i've gone to the mozilla developer network and they have a good breakdown on how to configure the content security policy, but they don't tell you where to put in the code. is this something that goes into each web page or through preferences? i don't know how to change what shows up in the http headers, but at least we appear to be on the right track. i've spoken to my host tech support and it doesn't appear to be a server issue and based on the developers network, it appears to be a firefox policy. i just don't know where to go to change it. thoughts?
Chosen Solution
With a .html page, it's impossible to include HTTP headers in the page. It would have to be in a configuration file external to the page (unless you have a very unusual configuration on your server).
On an Apache server, headers sometimes are set in a .htaccess file in the root of your site. If you are viewing the site in an FTP program or extension, make sure hidden files are displayed.
Note that Firefox has a pref (security.csp.enable) to disable CSP.
i found the content security policy line in the root .htaccess file and commented it out and voila! thanks so much for your help.
Same issue here. Can you indicate which line in .htaccess needs to be commented?
Hi softcorner, do you see any lines that mention this header:
X-Content-Security-Policy
Note that current Firefox versions use "Content-Security-Policy" ("Content-Security-Policy" is the official W3C defined header)
Note that the old headers with the "X-" prefix are still supported, but this may change.
Modified
Nop. My facebook page worked fine before firefox update and it is still working fine in IE.
https://www.facebook.com/TaxEaglesLLC/app_190322544333196
When I disabled CSP from my firefox (using about:config) then I can again see it on firefox. But all other general users who don't know how to disable this stupid update will NEVER see the content in firefox (this is one of my clients website).
I think firefox needs to disable this option by default.
I see that someone has solved it by adjusting .htaccess but don't know how.
There is also mixed content on the page that is blocked by Firefox and a shield icon is displayed.
Red bar in the Web Console (Firefox/Tools > Web Developer;Ctrl+Shift+K):
Loading mixed (insecure) active content on a secure page "http://www.taxeagles.com/component/content/article/2-uncategorised/uncategorised/21-specialoffer?tmpl=component&print=1&page="[Learn More]
GET http://www.youtube.com/embed/Hh1aGhDpd-k [Mixed Content]
OK then what? It worked fine before the update!!! I don't want to buy an SSl for the website at an extra cost as it is not needed. This script placed on facebook page worked fine before the update. Please if you the answer how to make this page available to all firefox users then reply. I don't have time to read more as I have done that already. If no solution then we have to make sure we place a warning on our website that "use IE if you want to see our facebook page and get special offers". That will be the start of FF death!!! if more people start doing that.
Whoops, you guys got way ahead of me.
Hi softcorner, when I visit that URL I get active mixed content blocked. This is caused by framing HTTP content on HTTPS pages. It is completely unrelated to site policy headers and is a default rule of Firefox applicable to all sites. You need to serve HTTPS to avoid this problem.
Modified
jscher2000 please do not send me recycled info. I KNOW that. This SAME page worked fine in older FF and STILL working in IE and other browsers. You are not providing any solution and keep repeating the same info that is known. Let me be specific:
"Is there a .htaccess solution as mentioned by lannygoodmann who seems to fixed the problem using .htaccess fix w/o serving SSL?"
If you know the answer please reply.
Thanks
Hi softcorner, will it be the death of Google Chrome, too? (see attached)
But seriously, mixed content protection is live now for the majority of users, and using SSL is part of Facebook's guidelines for embedded apps.
If you don't want to use SSL on your site, maybe you can add a link near the top of your FB page that says something like "If you have trouble viewing this page on Facebook, view it on our site."
Modified
Hi softcorner, as I stated, the earlier posts in this thread have NOTHING TO DO with your issue.
O well then the old days of using facebook for marketing are gone seems like! Our clients who want to use facebook and similar social media are poor and can't afford ssl buying every year. I think this CSP option should be set to disabled as default with warnings, at least during transition period.
Thanks for your input.
Modified
As posted already, your problem has nothing to do with CSP, but with blocking active mixed content.
You can see that there is a shield icon on the left end of the location bar before the "Site Identity Button" (globe/padlock) on the location bar indicating that mixed content is blocked.
- https://support.mozilla.org/kb/how-does-content-isnt-secure-affect-my-safety
- https://developer.mozilla.org/Security/MixedContent
This extension can allow such active mixed content by toggling the security.mixed_content.block_active_content pref.
Note that this is a pref that works globally