New to the community? Start here

[Hummingbird Pro] WooCommerce + Fonts = INSECURE

Has anyone else had issues when using Hummingbird’s Minify feature on WooCommerce? I *cannot* seem to find a way to make the relative font links in the WooCommerce CSS grab an https prefix… unless I manually go in and update them with such.

Any help would be GREATLY appreciated!

Mixed Content: The page at '<URL>' was loaded over HTTPS, but requested an insecure font '<URL>'. This request has been blocked; the content must be served over HTTPS.

(index):1 Mixed Content: The page at 'https://mywebsite.com/order-shipping-info/' was loaded over HTTPS, but requested an insecure font 'http://mywebsite.com/blog/wp-content/plugins/woocommerce/assets/fonts/star.woff'. This request has been blocked; the content must be served over HTTPS.

(index):1 Mixed Content: The page at 'https://mywebsite.com/order-shipping-info/' was loaded over HTTPS, but requested an insecure font 'http://mywebsite.com/blog/wp-content/plugins/woocommerce/assets/fonts/star.ttf'. This request has been blocked; the content must be served over HTTPS.

(index):1 Mixed Content: The page at 'https://mywebsite.com/order-shipping-info/' was loaded over HTTPS, but requested an insecure font 'http://mywebsite.com/blog/wp-content/plugins/woocommerce/assets/fonts/WooCommerce.woff'. This request has been blocked; the content must be served over HTTPS.

(index):1 Mixed Content: The page at 'https://mywebsite.com/order-shipping-info/' was loaded over HTTPS, but requested an insecure font 'http://mywebsite.com/blog/wp-content/plugins/woocommerce/assets/fonts/WooCommerce.ttf'. This request has been blocked; the content must be served over HTTPS.

(index):1 Mixed Content: The page at 'https://mywebsite.com/order-shipping-info/' was loaded over HTTPS, but requested an insecure font 'http://mywebsite.com/blog/wp-content/plugins/woocommerce/assets/fonts/star.woff'. This request has been blocked; the content must be served over HTTPS.

(index):1 Mixed Content: The page at 'https://mywebsite.com/order-shipping-info/' was loaded over HTTPS, but requested an insecure font 'http://mywebsite.com/blog/wp-content/plugins/woocommerce/assets/fonts/star.ttf'. This request has been blocked; the content must be served over HTTPS.

(index):1 Mixed Content: The page at 'https://mywebsite.com/order-shipping-info/' was loaded over HTTPS, but requested an insecure font 'http://mywebsite.com/blog/wp-content/plugins/woocommerce/assets/fonts/WooCommerce.woff'. This request has been blocked; the content must be served over HTTPS.

(index):1 Mixed Content: The page at 'https://mywebsite.com/order-shipping-info/' was loaded over HTTPS, but requested an insecure font 'http://mywebsite.com/blog/wp-content/plugins/woocommerce/assets/fonts/WooCommerce.ttf'. This request has been blocked; the content must be served over HTTPS.

analytics.js:62 Mixed Content: The page at 'https://mywebsite.com/order-shipping-info/' was loaded over HTTPS, but requested an insecure font 'http://mywebsite.com/blog/wp-content/plugins/woocommerce/assets/fonts/star.woff'. This request has been blocked; the content must be served over HTTPS.

Kc @ analytics.js:62

pc @ analytics.js:58

N.create @ analytics.js:72

X.b.<computed> @ analytics.js:41

Z.v @ analytics.js:72

Z.D @ analytics.js:71

N.N @ analytics.js:74

rc @ analytics.js:65

z @ analytics.js:65

(anonymous) @ analytics.js:74

(anonymous) @ analytics.js:74

analytics.js:62 Mixed Content: The page at 'https://mywebsite.com/order-shipping-info/' was loaded over HTTPS, but requested an insecure font 'http://mywebsite.com/blog/wp-content/plugins/woocommerce/assets/fonts/star.ttf'. This request has been blocked; the content must be served over HTTPS.

Kc @ analytics.js:62

pc @ analytics.js:58

N.create @ analytics.js:72

X.b.<computed> @ analytics.js:41

Z.v @ analytics.js:72

Z.D @ analytics.js:71

N.N @ analytics.js:74

rc @ analytics.js:65

z @ analytics.js:65

(anonymous) @ analytics.js:74

(anonymous) @ analytics.js:74

analytics.js:62 Mixed Content: The page at 'https://mywebsite.com/order-shipping-info/' was loaded over HTTPS, but requested an insecure font 'http://mywebsite.com/blog/wp-content/plugins/woocommerce/assets/fonts/WooCommerce.woff'. This request has been blocked; the content must be served over HTTPS.

Kc @ analytics.js:62

pc @ analytics.js:58

N.create @ analytics.js:72

X.b.<computed> @ analytics.js:41

Z.v @ analytics.js:72

Z.D @ analytics.js:71

N.N @ analytics.js:74

rc @ analytics.js:65

z @ analytics.js:65

(anonymous) @ analytics.js:74

(anonymous) @ analytics.js:74

analytics.js:62 Mixed Content: The page at 'https://mywebsite.com/order-shipping-info/' was loaded over HTTPS, but requested an insecure font 'http://mywebsite.com/blog/wp-content/plugins/woocommerce/assets/fonts/WooCommerce.ttf'. This request has been blocked; the content must be served over HTTPS.

Thu, 18 Apr 2019 18:25:48
More Hummingbird Pro discussions
Hummingbird Pro
  • Nithin Ramdas
    • Support Wizard

    Hi splaquet,

    That’s an odd issue. I don’t recall any similar reports, I tried to check the /order-shipping-info/ page, and I don’t see the mixed content error at the moment in the browser console.

    I could notice Asset Optimization is still enabled. I suppose you manually updated the URLs? Could you please point out where exactly you made the changes for it to work?

    Also, if you could revert the manual changes temporarily, we could give a closer look, and see what could be causing this issue specifically too.

    Please advise if I missed out anything. Have a nice day ahead. :slight_smile:

    Regards,

    Nithin

  • splaquet
    • WordPress Warrior

    I did go in and manually updated the URL references, with hard links.

    I updated about 10 files that referenced the font files in:

    /wp-content/plugins/woocommerce/assets/css/

    Unfortunately, we’ll probably have to revisit this in a little bit. I’ve finally gotten then down below a 16sec TTFB and a 30+ second catalog page load. …i’ll need to give it at least a week before I mess with this site again.

    although, i do have a /dev install that you could check out… BUT, I used Defender’s new “reset settings” feature, which reset my DB prefixes. …so, when I went to use the feature to revert the prefixes back to their previous settings, i haven’t been able to log back into /wp-admin again.

    i had support access granted on that site. see if you can poke around and get into redeux.broinc.com?

  • Kasia Swiderska
    • Support nomad

    Hello splaquet ,

    Access on that staging site is not working, but I wasn’t able to see the issue with mixed content on those fonts. Did you apply that fix on that site?

    I checked on my https site and Woo+Hummingbird installed, but I could not spot that problem :slight_frown:

    If you can create a new staging where the issue will be visible, we will check it.

    kind regards,

    kasia

  • splaquet
    • WordPress Warrior

    I updated to the latest WooCommerce, and also updated the relative URLs to the complete ones again, after updating.

    I’m going to make a current dump of the live database and restore it back into my /dev setup, over at https://redeux.broinc.com. I’ll also install fresh WooCommerce files there.

    Should have that squared away within 30 minutes or so. Redeux is totally /dev, so you can feel free to disable/activate, etc.

  • splaquet
    • WordPress Warrior

    Kasia Swiderska … not sure if you’re on now or not, because i’m going to have to fix these links again… but the woocommerce fonts reset back to http:// after upgrading to the latest woocommerce, just now.

    https://broinc.com

    also, i’ve noticed that this only appears to happen when the compressed assets are located on the

    hummingbird cdn. not sure if that’s a constant or not, but thought i’d note it.

    ###

    another observation… Hummingbird keeps compressing this file as http.

    https://hb.wpmucdn.com/broinc.com/e6a91339-2516-45f2-a740-789f09beff8e.js

    it’s for Authorize.net CIM. i’m not sure if this is an expected behavior or not, but it’s been causing havoc on trying to use CC for payments and/or adding new payment methods to our customers’ accounts.

  • splaquet
    • WordPress Warrior 
    jquery-migrate.js:23 JQMIGRATE: Migrate is installed with logging active, version 1.4.1
    
jquery.js:3 Mixed Content: The page at 'https://broinc.com/' was loaded over HTTPS, but requested an insecure element 'http://broinc.com/blog/wp-content/plugins/woocommerce/assets/fonts/star.woff'. As part of an experiment this request was automatically upgraded to HTTPS, For more information see https://chromium.googlesource.com/chromium/src/+/master/docs/security/autoupgrade-mixed.md
    
k @ jquery.js:3
    
pixelMarginRight @ jquery.js:3
    
Sa @ jquery.js:3
    
css @ jquery.js:3
    
set @ jquery.js:3
    
style @ jquery.js:3
    
(anonymous) @ jquery.js:5
    
Y @ jquery.js:3
    
n.fn.<computed> @ jquery.js:5
    
(anonymous) @ core.min.js:11
    
(anonymous) @ core.min.js:11
    
(anonymous) @ core.min.js:11
    
jquery.js:3 Mixed Content: The page at 'https://broinc.com/' was loaded over HTTPS, but requested an insecure element 'http://broinc.com/blog/wp-content/plugins/woocommerce/assets/fonts/star.ttf'. As part of an experiment this request was automatically upgraded to HTTPS, For more information see https://chromium.googlesource.com/chromium/src/+/master/docs/security/autoupgrade-mixed.md
    
k @ jquery.js:3
    
pixelMarginRight @ jquery.js:3
    
Sa @ jquery.js:3
    
css @ jquery.js:3
    
set @ jquery.js:3
    
style @ jquery.js:3
    
(anonymous) @ jquery.js:5
    
Y @ jquery.js:3
    
n.fn.<computed> @ jquery.js:5
    
(anonymous) @ core.min.js:11
    
(anonymous) @ core.min.js:11
    
(anonymous) @ core.min.js:11
    
jquery.js:3 Mixed Content: The page at 'https://broinc.com/' was loaded over HTTPS, but requested an insecure element 'http://broinc.com/blog/wp-content/plugins/woocommerce/assets/fonts/WooCommerce.woff'. As part of an experiment this request was automatically upgraded to HTTPS, For more information see https://chromium.googlesource.com/chromium/src/+/master/docs/security/autoupgrade-mixed.md
    
k @ jquery.js:3
    
pixelMarginRight @ jquery.js:3
    
Sa @ jquery.js:3
    
css @ jquery.js:3
    
set @ jquery.js:3
    
style @ jquery.js:3
    
(anonymous) @ jquery.js:5
    
Y @ jquery.js:3
    
n.fn.<computed> @ jquery.js:5
    
(anonymous) @ core.min.js:11
    
(anonymous) @ core.min.js:11
    
(anonymous) @ core.min.js:11
    
jquery.js:3 Mixed Content: The page at 'https://broinc.com/' was loaded over HTTPS, but requested an insecure element 'http://broinc.com/blog/wp-content/plugins/woocommerce/assets/fonts/WooCommerce.ttf'. As part of an experiment this request was automatically upgraded to HTTPS, For more information see https://chromium.googlesource.com/chromium/src/+/master/docs/security/autoupgrade-mixed.md
    
k @ jquery.js:3
    
pixelMarginRight @ jquery.js:3
    
Sa @ jquery.js:3
    
css @ jquery.js:3
    
set @ jquery.js:3
    
style @ jquery.js:3
    
(anonymous) @ jquery.js:5
    
Y @ jquery.js:3
    
n.fn.<computed> @ jquery.js:5
    
(anonymous) @ core.min.js:11
    
(anonymous) @ core.min.js:11
    
(anonymous) @ core.min.js:11
    
jquery-migrate.js:45 JQMIGRATE: jQuery.fn.load() is deprecated
    
migrateWarn @ jquery-migrate.js:45
    
jQuery.fn.<computed> @ jquery-migrate.js:560
    
(anonymous) @ a4b7203ede59e7161151bf0c30f3b104.js:10
    
(anonymous) @ a4b7203ede59e7161151bf0c30f3b104.js:10
    
jquery-migrate.js:47 console.trace
    
migrateWarn @ jquery-migrate.js:47
    
jQuery.fn.<computed> @ jquery-migrate.js:560
    
(anonymous) @ a4b7203ede59e7161151bf0c30f3b104.js:10
    
(anonymous) @ a4b7203ede59e7161151bf0c30f3b104.js:10
    
jquery-migrate.js:45 JQMIGRATE: 'hover' pseudo-event is deprecated, use 'mouseenter mouseleave'
    
migrateWarn @ jquery-migrate.js:45
    
hoverHack @ jquery-migrate.js:521
    
jQuery.event.add @ jquery-migrate.js:541
    
(anonymous) @ jquery.js:3
    
each @ jquery.js:2
    
each @ jquery.js:2
    
sa @ jquery.js:3
    
on @ jquery.js:3
    
(anonymous) @ custom.min.js:1
    
i @ jquery.js:2
    
fireWith @ jquery.js:2
    
ready @ jquery.js:2
    
K @ jquery.js:2
    
jquery-migrate.js:47 console.trace
    
migrateWarn @ jquery-migrate.js:47
    
hoverHack @ jquery-migrate.js:521
    
jQuery.event.add @ jquery-migrate.js:541
    
(anonymous) @ jquery.js:3
    
each @ jquery.js:2
    
each @ jquery.js:2
    
sa @ jquery.js:3
    
on @ jquery.js:3
    
(anonymous) @ custom.min.js:1
    
i @ jquery.js:2
    
fireWith @ jquery.js:2
    
ready @ jquery.js:2
    
K @ jquery.js:2
    
content.min.js:2 [Deprecation] Element.createShadowRoot is deprecated and will be removed in M73, around March 2019. Please use Element.attachShadow instead. See https://www.chromestatus.com/features/4507242028072960 for more details.
    
(anonymous) @ content.min.js:2

  • Nithin Ramdas
    • Support Wizard

    Hi splaquet,

    Hope you are doing good today. :slight_smile:

    Seems like you have fixed the issue by making the changes in WooCommerce side in the live site, as I’m not able to see the mentioned errors neither in Live nor staging website.

    I’m afraid, it’s tough to state what exactly is causing the issue without replicating the issue, or seeing it live. I tried to set up Asset Optimization in dev site according to the Live site, but I wasn’t able to notice any insecure message regarding this in dev site.

    Are we missing anything specific in the dev site to replicate the issue? Please advise.

    I’m also bringing into our developer’s attention to see whether he could give some guidance on what could be causing such anomalies too.

    Regards,

    Nithin

  • splaquet
    • WordPress Warrior

    so, here’s the ultimate problem. i wish i could tell you what the ultimate cause was, but, after all of the support chats and tickets, i really have no idea why this is happening.

    i have created several pre-versions of this project. it’s been waaaay too many months in the making, and i’d like nothing more than to put it behind me. everything was going just fine with it, up until i tried to use hummingbird’s cache feature and CDN asset management.

    as you could probably tell (by piecing together all of my support outreach), it didn’t really start clicking until recently.

    i’ve used several subdomain /dev versions of this domain… and even this domain as a sub-domain on my development domain, back when we first began.

    bro.redeux.me

    broinc.redeux.me

    redeux.broinc.com

    beta.broinc.com

    dev.broinc.com

    old.broinc.com

    fresh.broinc.com

    …and possibly even more, but you catch my point.

    to confuse matters, we’ve even taken a mysqldump of the live DB, for a second testing DB on /dev, to use in pre-realtime data application and DB editing/manipulation. we’ve always replaced the /live domain with the /dev domain (via find/replace with plain text & regex), but this might be where the problem lives.

    during my most recent support chat, i couldn’t figure out why my live site kept loading a file from the CDN that hadn’t existed on the site for some time.

    this one in particular:

    https://hb.wpmucdn.com/broinc.com/1e5b7848-e1b5-4607-b707-f4d87ea188b8.js

    BUT, i also kept seeing my live site load old CDN versions of WooCommerce files, pre https font version (or so my theory currently stands).

    and then yesterday, while trying to make sense of things, i started noticing how i kept being logged out of my /dev install while working in my /live install, and vice versa. that was a first, but again, started making me think that there was something odd going on here. i initially freaked out, thinking that my /dev install was linked to the live DB, but that fortunately was not the case. so yeah, that was kind of odd behaviour… and something that i hadn’t seen at all before this past weekend.

    long story short… i need an easy method of cleaning out my site content on your CDN.

    this file (previously mentioned):

    https://hb.wpmucdn.com/broinc.com/1e5b7848-e1b5-4607-b707-f4d87ea188b8.js

    …is preventing me from loading my files to the CDN, because every time I try, it prevents our customers from using CC payments on checkout. NO BUEÑO!!!

    I spent a day, then several hours a few times, trying to optimize, inline, defer, etc, my files. but, no matter how solid it appears that i have it pre-CDN upload, it always fails once I connect to the CDN… due to THAT file above!

    when using the CDN, using the “clear cache” button on the asset/minify screen DOES NOT clear out the old files. during my last support chat, i had Patrick Freitas erase all of my current %broinc% sites from the /my-websites page. i left them off for several days (maybe up to 5-7 days), and that file STILL existed after reconnecting!

    so, i obviously don’t need to go on and on about this, but i could really use some help here. what should i do next? i’m done spinning my wheels here and want for nothing more than to wrap this project up and put it in the past.

    Nithin, Adam Czajczyk , Kasia Swiderska … i appreciate all of the help and insight that you’ve all provided, but can someone please help me and explain how i can go about completely wiping the files stored on the CDN?

  • Nithin Ramdas
    • Support Wizard

    Hi splaquet,

    i appreciate all of the help and insight that you’ve all provided, but can someone please help me and explain how i can go about completely wiping the files stored on the CDN?

    The CDN should get re-generated, by clicking the Re-check Files button in the Asset Optimization. Other than that you could also reset to default under Hummingbird Pro > Asset Optimizations > Settings > Reset to defaults.

    Since support access to your site wasn’t enabled, I wasn’t able to give a closer look at these mentioned links after re-check is done.

    I do understand you, and I’m sorry to hear that you are facing ongoing issues regarding http/https links in fonts. However, I’m afraid, it’s tough to say what could be causing specifically if we aren’t able to notice the issue in the Dev site too. I did check with the developer and he did further test in your website, and after clearing the Hummingbird cache the files were generated with proper links.

    He was able to notice such anomalies could occur due to misconfiguration with SSL plugins ie the way how the links are loaded via HTTPS/HTTP. Maybe you could give a try to manually force HTTPS without using the Really Simple SSL plugin, and see whether it makes any difference?

    We are discussing internally whether there is a workaround that could be done to fix such anomalies in the plugin side. If you could point out the steps to replicate in the dev site, we could further test this out in your system too. :slight_smile:

    Regards,

    Nithin

  • Kayvan Rad
    • WPMU DEV Initiate

    Hi splaquet,

    Long time has been passed from this issue that you raised. I faced this issue yesterday and the work around that I found is to replace the http:// to https:// at the moment that the minified content is generated by hammingbird.

    You can place the following code to your function.php and should solve this issue,

    add_filter( 'wphb_minify_file_content', 'wphb_minify__replace_links' );
function wphb_minify__replace_links($content){
	$content = str_replace('http://','https://',$content);
	return $content;
}

    Best Regards
    Kayvan

  • Patrick Freitas
    • FLS

    Hi Kayvan Rad

    I hope you are doing well.

    Thank you for sharing this workaround, it is similar to what our developers suggested in a recent situation https://gist.github.com/patrickfreitasdev/e8092a06a700e194ed872b0b6d979076

    While troubleshooting that case, our developer found that issue was related to something forcing the HTTP in the scripts.

    I am sharing the code that was used to debug and create a log file it in case helps:

    add_action( 'init', function(){
	$site_url = get_site_url();
	$template_uri = get_template_directory_uri();
	if( false !== strpos( $site_url, 'http:' ) ){
		@file_put_contents( dirname(__FILE__).'/test.txt', "\n-------\n site_url:". date('d/m/Y h:s:i') .':'. $site_url, FILE_APPEND );
	}
	if( false !== strpos( $template_uri, 'http:' ) ){
		@file_put_contents( dirname(__FILE__).'/test.txt', "\n-------\n template_uri:". date('d/m/Y h:s:i') .':'. $template_uri, FILE_APPEND );
	}
} );

add_filter( 'print_styles_array', function($handles){
	global $wp_styles;
	foreach( $handles as $handle ){
		if( isset( $wp_styles->registered[ $handle ]->src ) && false !== strpos( $wp_styles->registered[ $handle ]->src, 'http:') ){
			@file_put_contents( dirname(__FILE__).'/test.txt', "\n-------\n print_styles $handle:". $wp_styles->registered[ $handle ]->src, FILE_APPEND );
		}
	}

	return $handles;

}, 4 );

    Best Regards
    Patrick Freitas