Issues with mixed active content

[ST-DDT]

Before I begin I know that this is not a livedoc problem by itself, but I hope there is something you could do about it "somehow".

Describe the bug

I deployed the livedoc-ui 4.5.2 (Standalone) to a webserver (nginx) that is only accessible via HTTPS.

For obvious reasons my local spring-rest-api is not accessible via HTTPS (because I don't have an HTTPS certificate for my local IP address)

But this causes a "Mixed Active Content" error and prevents the browser from downloading the data.

• Firefox

• Chrome

(btw. the chrome error message is somewhat useless/undescriptive)

Expected behavior

Open the jsondoc regardless of schema/protocol.

Environment/Context

• server
  • nginx
  • HTTPS
  • livedoc-ui 4.5.2
• developer
  • tomcat
  • HTTP
  • spring-rest-api
    • livedoc-spring 4.5.2

Suggestions

• Mark the download as "Mixed Passive Content"

[joffrey-bion]

Hi, and thanks again for your feedback. Anything that helps me make Livedoc easier to use is good to take.

I'm aware Chrome's messages are kinda useless, I tried to do something about it in commit 781059e9d87f5e770f0bcf3aa1a102de2d6e0001, but there's little more I can do about that specifically. The javascript fetch API simply isn't great for precise handling of network errors.

Regarding the issue at hand, if there is some client side solution to your problem, I'll put it in place. Did you already find some resources about that specific problem with client side workarounds?

[ST-DDT]

I only found information about turning the security off in the browser for all pages, which I don't want to do as well.

• https://developer.mozilla.org/en-US/docs/Web/Security/Mixed_content?utm_source=mozilla&utm_medium=firefox-console-errors&utm_campaign=default

• https://support.mozilla.org/en-US/questions/967208

• https://bugzilla.mozilla.org/show_bug.cgi?id=873349 (Add Whitelist -> Won't fix)

• https://support.mozilla.org/en-US/questions/1198894 (Turn it of globally)

• https://kb.iu.edu/d/bdny There seems to be a button you have to press to allow it, but it does not show for me (maybe because does not load the resource during page load)

[joffrey-bion]

I only found information about turning the security off in the browser for all pages, which I don't want to do as well.

I totally understand that you don't want to unblock mixed content for all websites, that would be both undesirable and overkill. This would be an unacceptable workaround for me too.

I found this SO post where one answer suggests unblocking on a per-domain basis on Chrome: https://stackoverflow.com/a/49266261/1540818

The steps are the following:

1. Open a Chrome window
2. In the URL bar, enter Chrome://net-internals
3. Click on Domain Security Policy in the side-bar
4. Add the domain name that you want to whitelist into the "Add HSTS/PKP domain" section

It does not seem to deal with mixed content but rather http/https access, so maybe this answer is just wrong. Maybe you should try this anyway just in case it effectively allows mixed content for your localhost?

There seems to be a button you have to press to allow it, but it does not show for me (maybe because does not load the resource during page load)

Maybe this is because it is "mixed active content" (using the fetch() API) as opposed to regular mixed content resulting from the browser resolving a <script> tag or similar.

[ST-DDT]

I looked at that answer, but only found options to force a page to use HTTPS, but nothing to allow mixed content.

For Chrome there is a different alternative that works for me though. https://stackoverflow.com/a/46670650/4573065 In the top right corner there is a small button to click, to allow mixed content

The same works for Firefox as well (but it can only be seen if you click on the green lock). In both cases it will only show up after querying the page at least once.

I'm pretty sure that I have looked for that option before opening the issue, but obviously I did it not thoroughly enough. (Or I forgot to actually execute the request). Sorry, for not seeing that right from the start.

I leave this open, if you want to improve the documentation about these steps. (I cannot make screenshots for these because the browser closes them once I press the screenshot button.) Otherwise this can be closed. Thanks for your help.

[joffrey-bion]

Great that you found at least a quick workaround.

I've been browsing for a while, but still no luck in finding a solution that would allow me to solve this issue from Livedoc's code, unfortunately. It looks like I can't escape the browser's security (which is technically the point).

I was about to say that I only see 3 other solutions:

• generate a self-signed certificate for your localhost to actually serve HTTPS (which is kind of a pain)
• manually download the JSON from your local API, and then deploy it on the HTTPS server where Livedoc UI lives, and then on Livedoc UI, load the JSON from the nginx server itself (this is probably even more annoying)
• use livedoc-ui-webjar temporarily in your local Spring REST API project to access the UI from your localhost using HTTP. Although not ideal, it is acceptable if you just want to check whether your doc looks ok, but I admit it is annoying to add/remove the gradle/maven dependency all the time just for this quick test.

I believe I will leave this open until I document the issue better than here. Livedoc could also display a proper message with a link to the documentation about mixed content, if there is a way to identify that the request failed for that reason.