Community Support Forums

[raygulick]

Why does s2member include (apparently several) http: (insecure) links to wikipedia in the paypal forms? These links result in warning of an insecure page to visitors:
Your connection to [domain] is encrypted with 256-bit encryption. However, this page includes other resources which are not secure. These resources can be viewed by others while in transit, and can be modified by an attacker to change the behavior of the page.

One example:

Code: Select all

<span>Card Verification Code ( 3-4 digits ) * <a href="http://en.wikipedia.org/wiki/Card_security_code" target="_blank" tabindex="-1" rel="external nofollow">need help?</a></span>

I've fixed all non-secure issues except these hard-coded links in s2member, and I'm reluctant to edit them directly, as I know that's a solution that will only last until the next update.

Could you please make an update that fixes this problem? Or is there a fix to this issue that I just can't find?

[raygulick]

OK, I restarted my browser (after fixing all issues but the above), and I'm no longer getting insecure messages. Can someone explain to me why having this one insecure link is OK, while all other insecure links were breaking SSL?

[Jason Caldwell]

Thanks for the heads up on this thread.

The only URLs that need to be served over SSL, are those which lead to "resources" used by the browser on a particular page of your site. Resources are defined as anything that the browser may load up in the context of a particular page on your site.

For example, if you have a JavaScript file, an image, a video, an icon, or another embedded resource that contributes to the display or functionality of a particular page, that MUST be served over SSL to prevent the infamous Secure/Insecure warning in some browsers.

However, "links" are NOT resources. Links lead visitors to another destination entirely, and are NOT classified as a "resource" for a particular page on your site. Therefore, they don't need to be converted over to an SSL protocol. For example, you might have a page that is served over SSL, with a link to a Wikipedia article. That link does NOT need to use the https:// protocol.

Related article: http://blogs.msdn.com/b/ieinternals/arc ... n-ie8.aspx

[raygulick]

Thank you for following up, Jason. That's in opposition to what I was told by the folks at HostGator, but I assume you're a better source of info.

One of the things I've learned in this process is the importance of restarting Chrome after making a change. If you don't do that, it gives you misleading feedback.