Quantcast

CSS and HTTPS problem ...

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

CSS and HTTPS problem ...

xenome
Hi All,

It's been a long time since i posted here ... hope u r all fine n well ..
Now my problem.  I've planned to add some style to one of my restlet (which is actually a TEXT_HTML MediaType repreaentation) so i made an external stylesheet n saved my .css file and linked it to my html restlet and began to test n here u r what i found (note: i'm running the whole application via secured HTTPS):

1- Running on microsoft windows:
    Everything went okay, style file was loaded okay and applied to my html successfully, images were loaded and everything went fine for me (accessed the restlet via all available browsers IE, FF, and Chrome).

2- Hosting the restlet on a server running windows
    Worked also like charm but locally on the server .. and when trying to access it remotely from my local machine style doesn't show with IE telling me "this webpage contains content that will not be delivered using a secure HTTPS connection. which could compromise the security of the entire webpage" .. tried also  from FF and Chrome without hope of seen my style applied.

3- Running on openSUSE 10.3:
    External styles are never applied and the page displays without any style (as if the .css wasn't seen eventhough i'm giving the absolute path to the file on my local machine) so i copied the styles inside my html restlet in <style> tags n tested again ... Styles were applied but images were never loaded again as if they weren't seen (still giving the absolute path)

So i don't know what to do or where the problem is but my main goal i want to achieve is that the page hosted on the server gets displayed with my style when accessed by clients anywhere and from any browser ... i read some articles talking about missing/broken images and external CSS never applied when using HTTPS but with no solutions ...

Is there anything with restlet concerning css or https  i am missing ? ...

need help and thanks in advance
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: CSS and HTTPS problem ...

Rob Heittman
Hard to diagnose without seeing the HTML source ... but is it possible your HTML is constructed with an absolute URL (starting with http://) in the CSS <link rel.../> tag?  Any snippets of the HTML you can share, or a link to a page if it's public?

On Fri, Mar 27, 2009 at 10:46 AM, Mohamed Abdel-Aziz Bayoumi <[hidden email]> wrote:
It's been a long time since i posted here ... hope u r all fine n well ..
Now my problem.  I've planned to add some style to one of my restlet (which is actually a TEXT_HTML MediaType repreaentation) so i made an external stylesheet n saved my .css file and linked it to my html restlet and began to test n here u r what i found (note: i'm running the whole application via secured HTTPS):

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: CSS and HTTPS problem ...

Tal Liron

To add to Rob's hunch --


My guess is that you are using a relative URL to access the CSS, and that you don't have a trailing slash after your base URL. For example, your base URL might be:


http://localhost:8080/myapplication/main


While your CSS link would be:

<link href="my.css" rel="stylesheet" type="text/css" />

So the browser would be looking for:


http://localhost:8080/myapplication/mainmy.css


You need to use a trailing slash on the base URL!


This is something that can happen in Restlet but not in most Apache configurations, because Restlet is forgiving about the trailing slash.


-Tal


On Fri, Mar 27, 2009 at 10:46 AM, Mohamed Abdel-Aziz Bayoumi <[hidden email]> wrote:
It's been a long time since i posted here ... hope u r all fine n well ..
Now my problem.  I've planned to add some style to one of my restlet (which is actually a TEXT_HTML MediaType repreaentation) so i made an external stylesheet n saved my .css file and linked it to my html restlet and began to test n here u r what i found (note: i'm running the whole application via secured HTTPS):

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: CSS and HTTPS problem ...

xenome
In reply to this post by Rob Heittman
Hi Rob,

Thanx for the fast reply ... As it told you Rob i'm using absolute links to images or css (since these are not hosted on my server) like the following CSS snippet (the background property)
                thead th,tbody th
                {
                   background : #FFF url(http://muffinresearch.co.uk/code/xhtmlandcss/tableshow/th_bck.gif) repeat-x;
                   color: white;  
                   padding : 5px 10px;
                   border-left : 1px solid #CCC;
               }
another important note: i've switched to HTTP instead of HTTPS just to test and the style was displayed perfectly (no broken images or missing css files) both locally and remotely (i didn't change anything in code) which makes me 100% sure that the problem is mainly considered with HTTPS connection as i told you before ...

Thank you

Rob Heittman wrote
Hard to diagnose without seeing the HTML source ... but is it possible your
HTML is constructed with an absolute URL (starting with http://) in the CSS
<link rel.../> tag?  Any snippets of the HTML you can share, or a link to a
page if it's public?

On Fri, Mar 27, 2009 at 10:46 AM, Mohamed Abdel-Aziz Bayoumi <
mohamed.xed@gmail.com> wrote:

> It's been a long time since i posted here ... hope u r all fine n well ..
> Now my problem.  I've planned to add some style to one of my restlet (which
> is actually a TEXT_HTML MediaType repreaentation) so i made an external
> stylesheet n saved my .css file and linked it to my html restlet and began
> to test n here u r what i found (note: i'm running the whole application via
> secured HTTPS):
>

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=1445199
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: CSS and HTTPS problem ...

Rob Heittman
You'd have to change the CSS to also reference the images, etc. over https.  The warning you describe will be triggered whenever you have an HTML page, delivered over https, that calls images, CSS, or javascript from another source, delivered over http.  This isn't a Restlet thing ... it applies to any SSL Web server.

However, one neat Restlet thing that does help, is the Redirector feature.  This is a bit advanced, but you can use the Redirector on your local web service to proxy these requests to the other server; this can be used to avoid such warnings and single-source issues, at the expense of some overhead in your web service and a responsibility to manage the security appropriately.

- Rob

On Tue, Mar 31, 2009 at 5:34 AM, Mohamed Abdel-Aziz Bayoumi <[hidden email]> wrote:
Hi Rob,

Thanx for the fast reply ... As it told you Rob i'm using absolute links to images or css (since these are not hosted on my server) like the following CSS snippet (the background property)
               thead th,tbody th
               {
                  background : #FFF url(http://muffinresearch.co.uk/code/xhtmlandcss/tableshow/th_bck.gif) repeat-x;
                  color: white;
                  padding : 5px 10px;
                  border-left : 1px solid #CCC;
              }
another important note: i've switched to HTTP instead of HTTPS just to test and the style was displayed perfectly (no broken images or missing css files) both locally and remotely (i didn't change anything in code) which makes me 100% that the problem is mainly considered with HTTPS connection as i told you before ...

Thank you


Hard to diagnose without seeing the HTML source ... but is it possible your
HTML is constructed with an absolute URL (starting with http://) in the CSS
<link rel.../> tag?  Any snippets of the HTML you can share, or a link to a
page if it's public?

On Fri, Mar 27, 2009 at 10:46 AM, Mohamed Abdel-Aziz Bayoumi <
[hidden email]> wrote:

> It's been a long time since i posted here ... hope u r all fine n well ..
> Now my problem.  I've planned to add some style to one of my restlet (which
> is actually a TEXT_HTML MediaType repreaentation) so i made an external
> stylesheet n saved my .css file and linked it to my html restlet and began
> to test n here u r what i found (note: i'm running the whole application via
> secured HTTPS):
>

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=1445199


--
View this message in context: http://n2.nabble.com/CSS-and-HTTPS-problem-...-tp2544622p2562022.html
Sent from the Restlet Discuss mailing list archive at Nabble.com.

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=1493998

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: CSS and HTTPS problem ...

Bruno Harbulot
Hi,

Rob Heittman wrote:
> You'd have to change the CSS to also reference the images, etc. over
> https.  The warning you describe will be triggered whenever you have an
> HTML page, delivered over https, that calls images, CSS, or javascript
> from another source, delivered over http.  This isn't a Restlet thing
> ... it applies to any SSL Web server.

Yes, I agree. Although it's possible to turn off this warning in Firefox
I'd suggest to keep it on.

In terms of site design, it's bad practice to mix HTTPS and plain HTTP
content.

I've recently found a security issue with a service we use (I believe
the vendor is investigating the matter). Access to the whole site was
supposed to be secure because it was served over HTTPS. However, one of
the web pages was loading a JavaScript document, which was linking
another JavaScript document, this time in plain HTTP. (Surprisingly
enough, this second link was a plain HTTP URL only if "Mac" was in the
user-agent header!)
Even if this last request failed with a 404 status code (the document
being actually only served over HTTPS), the request was made over plain
HTTP and contained the authenticated session cookie. Therefore, someone
intercepting that request would be able to hijack the session.

I haven't looked at how IE behaves with mixed content, but the downside
of Firefox warnings is that they are just warnings (you can't cancel the
request: you can only realise it's too late).


> However, one neat Restlet thing that does help, is the Redirector
> feature.  This is a bit advanced, but you can use the Redirector on your
> local web service to proxy these requests to the other server; this can
> be used to avoid such warnings and single-source issues, at the expense
> of some overhead in your web service and a responsibility to manage the
> security appropriately.

+1


Best wishes,

Bruno.

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=1499674
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: CSS and HTTPS problem ...

xenome
In reply to this post by Rob Heittman

Many thanks Rob, i'll consider that .. will give it a try and feedback whenever possible


<quote author="Rob Heittman">
You'd have to change the CSS to also reference the images, etc. over https.
 The warning you describe will be triggered whenever you have an HTML page,
delivered over https, that calls images, CSS, or javascript from another
source, delivered over http.  This isn't a Restlet thing ... it applies to
any SSL Web server.
However, one neat Restlet thing that does help, is the Redirector feature.
 This is a bit advanced, but you can use the Redirector on your local web
service to proxy these requests to the other server; this can be used to
avoid such warnings and single-source issues, at the expense of some
overhead in your web service and a responsibility to manage the security
appropriately.

- Rob
Loading...