I’m trying to secure a site with SSL. SSL is installed, but when I visit the site, I get this from Chrome:
Your connection to domain.com is encrypted with 256-bit encryption. However, this page includes other resources which are not secure.
I think I have updated everything to use resources from the SSL site. I even copied the XHTML DTD and stored it locally. What am I doing wrong? The following is a sample page:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "https://secured.CompanyName.com/schemas/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" class="frontend">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
<title>CompanyName</title>
<link rel="shortcut icon" type="image/x-icon" href="/favicon.ico" />
<script type="text/javascript" src="https://secured.CompanyName.com/scripts/jquery.1.4.4.min.js"></script>
<link media="all" type="text/css" href="https://secured.CompanyName.com/styles/jquery-ui/jquery-ui-1.8.2.custom.css" rel="stylesheet" />
<script type="text/javascript" src="https://secured.CompanyName.com/scripts/jquery-ui.1.8.2.min.js"></script>
<script type="text/javascript" src="https://secured.CompanyName.com/scripts/jquery.layout.min.js"></script>
<link href="https://secured.CompanyName.com/styles/login.css" rel="stylesheet" type="text/css" media="screen" charset="utf-8" />
<link media="all" type="text/css" href="https://secured.CompanyName.com/styles/CompanyName_main.css" rel="stylesheet" />
</head>
<body id="doc3" class="yui-t6">
<div id="site_wrapper">
<div class="CompanyName_header">
<div class="logo">
</div>
<div class="message" id="message" style="display:none;">
<p>Successfully saved.</p>
</div>
</div>
<div id="body_wrapper">
<div id="login_wrapper">
<form enctype="multipart/form-data" method="post" action="https://secured.CompanyName.com/index.php/main/login/submit/">
<div id="login_content">
<div id="square1"></div>
<div id="square2"></div>
<div id="square3"></div>
<div id="square4"></div>
<div id="login_header">
Login
</div>
<div class="login_email">
<label for="email">Email Address:</label><input type="text" name="email" id="email" />
</div>
<div class="login_password">
<label for="password">Password:</label><input type="password" name="password" id="password" />
</div><input type="submit" name="submit" value="Login" class="login" />
</div>
</form>
</div>
<div id="login_wrapper-shadow">
</div>
</div>
</div>
<div id="ft" class="ui-layout-south CompanyName_footer">
<div class="content">
<p>© 2010 <span class="name">CompanyName</span>. All rights reserved.</p>
</div>
</div>
</body>
</html>
If you look at the developer console, it should tell you which resources have been improperly included. Unfortunately, even if you’ve done anything right, it is possible that the scripts or resources you included improperly include HTTP resources, themselves. For example, your CSS file might include images over HTTP or it is possible that your JavaScript injects other scripts or images into the DOM that use HTTP.
Also, FYI, you can use “//” instead of “https://” when referencing resources if you want to allow your website to be included both under HTTP and HTTPS; this will ensure that resources are loaded under HTTP when accessed from an HTTP page and loaded with HTTPS when accessed from an HTTPS page. Using a protocol-relative path like this is preferable for a few reasons: