X-Cart forums

[geckoday]

Quote:

Originally Posted by balinor

While I understand what you are trying to do, this can/will result in one of those nasty 'The site isn't secure' warnings when in https mode if the images or any other info is being called from an outside source. Just FYI

An outside source has nothing to do with the secure warnings. A lot of us include google JS code for analytics on our secure pages without a problem. In this case it has even less to do with secure warnings as its a server side include, not a client side include which are the includes that generate security warnings.

The header PHP code would need to generate appropriate href's for http & https to avoid secure warning messages but that's really a moot point. The error message indicates that PHP is configured to not allow includes via URL's - i.e. it only allows local includes. Most hosts do this as a security measure to limit hacker exploits from grabbing malicious code from external servers.

[balinor]

I disagree. Call an image from http://anotherdomain.com and you WILL get a warning.

[exsecror]

Quote:

Originally Posted by geckoday

An outside source has nothing to do with the secure warnings. A lot of us include google JS code for analytics on our secure pages without a problem. In this case it has even less to do with secure warnings as its a server side include, not a client side include which are the includes that generate security warnings.

The header PHP code would need to generate appropriate href's for http & https to avoid secure warning messages but that's really a moot point. The error message indicates that PHP is configured to not allow includes via URL's - i.e. it only allows local includes. Most hosts do this as a security measure to limit hacker exploits from grabbing malicious code from external servers.

That's because the Google Analytics code automatically switches to SSL when you're in SSL mode hence why you don't get the warning. I agree with balinor it causes problems and a lot of customers who are not well informed about security will be automatically turned off should they get a warning about "Insecure Content" on the page and a broken lock.

[geckoday]

Quote:

Originally Posted by balinor

I disagree. Call an image from http://anotherdomain.com and you WILL get a warning.

External <> security errors.
Calling an external file wrong causes security errors.
You should call an external file using http when in not in secure mode and using https when in secure mode - thats easy to do and as I mentioned is done for google analytics.

Code:

<script src="{if $smarty.server.HTTPS eq "on"}https://ssl{else}http://www{/if}.google-analytics.com/urchin.js" type="text/javascript">

But that's NOT what AgentBristow was trying to do. He was trying to include php code server side which is a whole different kettle of fish.

[kube]

Quote:

Originally Posted by geckoday

He was trying to include php code server side which is a whole different kettle of fish.

True. Until the header code itself contains insecure external urls which may or may not be the case.