Suitecrm: update to Suitecrm 7.4.1 - Blocked loading mixed active content

Created on 26 Nov 2015  路  11Comments  路  Source: salesagility/SuiteCRM

Our servers security settings allow only hsts, so only strict https
after upgrading to suitecrm 7.4.1 we are getting these javascript errors:

1)
Blocked loading mixed active content "http://yui.yahooapis.com/combo?3.3.0/build/widget/assets/skins/sam/widget.css&3.3.0/build/widget/assets/skins/sam/widget-stack.css&3.3.0/build/overlay/assets/skins/sam/overlay.css&"

2)
Blocked loading mixed active content "http://yui.yahooapis.com/combo?3.3.0/build/event-custom/event-custom-min.js&3.3.0/build/dom/dom-min.js&3.3.0/build/event/event-min.js&3.3.0/build/attribute/attribute-min.js&3.3.0/build/pluginhost/pluginhost-min.js&3.3.0/build/classnamemanager/classnamemanager-min.js&3.3.0/build/base/base-min.js&3.3.0/build/node/node-min.js&3.3.0/build/widget/widget-min.js&3.3.0/build/widget/widget-stdmod-min.js&3.3.0/build/widget/widget-position-min.js&3.3.0/build/widget/widget-position-align-min.js&3.3.0/build/widget/widget-stack-min.js&3.3.0/build/widget/widget-position-constrain-min.js&3.3.0/build/overlay/overlay-min.js&3.3.0/build/plugin/plugin-min.js&3.3.0/build/anim/anim-base-min.js&3.3.0/build/widget-anim/widget-anim-min.js"

3)
TypeError: Y.Overlay is not a constructor

I think the correct api should be:
https://yui-s.yahooapis.com/combo?3.3.0/build/widget/assets/skins/sam/widget.css&3.3.0/build/widget/assets/skins/sam/widget-stack.css&3.3.0/build/overlay/assets/skins/sam/overlay.css&

The error has effects for example the Calendar and Projects modules Gantt View

Moderate Fix Proposed Bug
Source
picture jobvector
👍3

Most helpful comment

This bug is quite easily fixed. I'd fork, fix, and PR, yet I've done so several times already with no luck getting PRs included, nor comments back. Makes you wonder whether you did the PR right. Code Contribution Agreement signed by the way.

picture chris001 on 12 Sep 2016
👍2

All 11 comments

@salesagility Why bother loading yui files again from external (.yahooapis.com) if you bundle all the files in /include/javascript/yui3/build/ ?

Applying the following code (actually non-upgrade safe) to /modules/*/views/view.edit.php (or whatever modules this error occures) results in setting up YUI to load from the suitecrm-installation itself instead of going out in the wild...

...
...
public function display() {
    // https://github.com/yui/yui3/issues/810
    $sugarConfig = SugarConfig::getInstance();
    echo "<script>
        YUI.applyConfig({
            base: '" . $sugarConfig->get('site_url') . "/include/javascript/yui3/build/',
            combine: false
        });</script>";
    ...
    ...
}
...
...

What needs to be done is a generic/common/global setting to load YUI from the suiteCRM instance itself.
The drawback from the method above is, that each the YUI-js files will be loaded after another, there is no bundling/combining applied here.

ghost picture ghost on 20 Jul 2016

To clarify the issue here: this (really) has nothing to do with how we set up our servers.

modern browsers simply do NOT load stuff from non-https if the current website is under https.
unsecure stuff isn't loaded when visiting a secure site.

therefore the application rendering html must ensure

  • either all external references go to https too (should use //www.example.com)
  • or simply put all needed external references like YUI and JQuery into the application itself (as done, see /include/javascript/*)
ghost picture ghost on 20 Jul 2016

Better would be to include all files.
We for example need one SuiteCRM installation behind a very strict firewall, so its not allowed to load external http or https at all.

gunnicom picture gunnicom on 20 Jul 2016

This bug is quite easily fixed. I'd fork, fix, and PR, yet I've done so several times already with no luck getting PRs included, nor comments back. Makes you wonder whether you did the PR right. Code Contribution Agreement signed by the way.

chris001 picture chris001 on 12 Sep 2016
👍2

@chris001 , do you still have PR for this issue? , if yes can you reference this issue in it?

shogunpol picture shogunpol on 23 Dec 2016

Still an issue now.

GeorgeWL picture GeorgeWL on 25 Jan 2017

+1

tsmgeek picture tsmgeek on 11 Feb 2017

My helper command grep -rli 'http://yui.yahooapis.com' . | xargs -i@ sed -i 's/http:\/\/yui.yahooapis.com\//https:\/\/yui-s.yahooapis.com\//g' @

viewpointsa picture viewpointsa on 15 May 2020
👍1

My helper command grep -rli 'http://yui.yahooapis.com' . | xargs -i@ sed -i 's/http:\/\/yui.yahooapis.com\//https:\/\/yui-s.yahooapis.com\//g' @

Could you please give a little explanation what this command is expected to do exactly?

ghost picture ghost on 15 Jun 2020

yahoo yui library was served on a separate subdomain when https is required, this is to replace everything so it does not cause a problem in browser with non-https requests.

tsmgeek picture tsmgeek on 15 Jun 2020

fyi I did a test run of this command on Mac OS with this slightly altered command:

grep -rli 'http://yui.yahooapis.com' . | xargs -I@ sed -i '' 's/http:\/\/yui.yahooapis.com\//https:\/\/yui-s.yahooapis.com\//g' @

worked for me.

ghost picture ghost on 15 Jun 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Mausino picture Mausino  路  3Comments
connorshea picture connorshea  路  3Comments
sasha2002 picture sasha2002  路  3Comments
tech-ch1 picture tech-ch1  路  3Comments
pgorod picture pgorod  路  3Comments