Fixing Mixed Content Warnings

About Mixed Content Warnings

A mixed content warning in the firefox web browser, which reads "conntection is not secure. parts of this page are not secure (such as images)."

A Mixed Content Warning (pictured above) appears when a site’s connection is secure (using https) but the page content itself is not. This is commonly a result of directly referencing an existing image on the site using an absolute url pointing to http, though it can also be caused by hotlinking external images. 

Though this warning will not affect the security of sensitive data, these images themselves can still present a small security risk to your site and its users.

Fixing Mixed Content Warnings

When the image causing the Mixed Content Warning is referencing an image that has been uploaded elsewhere on your site, the warning can be fixed by editing the url of the problematic image to be a relative url, rather than an absolute one. This has the secondary benefit of ensuring that the image will continue to work if the site’s base url changes, or when a test or development build is pushed to production.

 To edit the image url, begin editing the page containing the image and double-click the image in the text body. Examine the URL field, which will be the first text field from the top. An insecure image will be using a full (absolute) url beginning with “http://” and containing the site’s base url, e.g. “… .” 

the image properties window displaying the peoper format for an uploaded image's url

A relative url will contain everything after the “.edu”, with the format “/sites/default/files/images/filename.jpeg”, as seen in the figure above. To change an absolute url to a relative one, remove everything before “/sites” in the URL field.

Repeat the above instructions for any media not directly uploaded to the page returning the Mixed Content Warning until the warning no longer appears in your browser.

If the problematic images are being hotlinked from an external source, downloading the image and uploading directly to the site will dismiss the warning.