Mixed content error: HTTPS usage of a swagger-ui with validator redirects to a HTTP resource

[frkline]

Chrome reports a mixed content error as the validator redirects to an insecure resource:

Mixed Content: The page at 'https://...' was loaded over HTTPS, but requested an insecure image 'http://online.swagger.io/validator?...'. This content should also be served over HTTPS.

[larochef]

I have the same problem.

So far, I disabled the validator (my swagger.json is generated by swagger anyway), but it would be better if validator was compatible with https.

[JoeBiellik]

+1 for this issue, had to disable the validator too.

[travi]

+1

[luketn]

+1

[MalteJ]

+1

[xplode]

+1

[simison]

+1

[chrisdostert]

+1

[urg]

+1

[fehguy]

https support added to the validator

[mickeyreiss]

@fehguy Can you cross-reference to the commit that fixes this? Is that change deployed to https://online.swagger.io/validator yet?

[fehguy]

Yes, unfortunately it's entirely an infrastructure change and not a code change. It has been deployed and is available:

https://online.swagger.io/validator/?url=http://petstore.swagger.io/v2/swagger.json

[mickeyreiss]

It's still not working for me with my local development url: https://online.swagger.io/validator?url=https://docs.local:8086/swagger.json. I'm getting a redirect to HTTP.

$ curl -v 'https://online.swagger.io/validator?url=https://docs.local:8086/swagger.json' -H 'Pragma: no-cache' -H 'DNT: 1' -H 'Accept-Encoding: gzip, deflate, sdch' -H 'Accept-Language: en-US,en;q=0.8' -H 'Upgrade-Insecure-Requests: 1' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H 'Cache-Control: no-cache' -H 'Cookie: _ga=GA1.2.440710346.1436287024' -H 'Connection: keep-alive' --compressed
*   Trying 54.69.214.189...
* Connected to online.swagger.io (54.69.214.189) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
* Server certificate: *.swagger.io
* Server certificate: DigiCert SHA2 Secure Server CA
* Server certificate: DigiCert Global Root CA
> GET /validator?url=https://docs.local:8086/swagger.json HTTP/1.1
> Host: online.swagger.io
> Pragma: no-cache
> DNT: 1
> Accept-Encoding: gzip, deflate, sdch
> Accept-Language: en-US,en;q=0.8
> Upgrade-Insecure-Requests: 1
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
> Cache-Control: no-cache
> Cookie: _ga=GA1.2.440710346.1436287024
> Connection: keep-alive
> 
< HTTP/1.1 302 Found
< Location: http://online.swagger.io/validator/?url=https://docs.local:8086/swagger.json
< Connection: close
< Server: Jetty(9.2.7.v20150116)
< 
* Closing connection 0

Is the redirect to the error logo a special case that needs to be addressed separately?

(Edited to include the response I'm seeing.)

[mickeyreiss]

It appears that a trailing / in my initial URL fixes the http -> https redirect.

https://online.swagger.io/validator/?url=https://docs.local:8086/swagger.json

[mickeyreiss]

(The trailing / is not present by default.)

[fehguy]

OK great. also, the validator in get mode expects that your swagger definition is available publically. If that's not the case (like localhost), you can use a POST method instead:

curl -i -X POST -H "accept:application/json" -d @sample.json 'https://online.swagger.io/validator/debug'

Where @sample.json is simply a swagger spec, in either JSON or YAML format.

[mickeyreiss]

POST mode - That's a great tip!

Would it be possible to change the redirect behavior so that it is ok to omit the trailing /? Alternatively, should we change the default validationUrl in the JS implementation?

[fehguy]

Yes, it's quite easy. I will reopen the issue to track the change.

[mickeyreiss]

Thanks for the quick help, @fehguy!

[fehguy]

This should be fixed now ¯\_(ツ)_/¯