Web form behaving differently when secure https - forms

I have a web form which I have recently secured with an SSL Certificate.
Since installing the certificate, the form behaves differently - when it was unsecured http it would give an error message if any required field was not filled in eg "This field is required". However, as a secured https page it doesn't give this error message any more and it is possible to submit the form whether the fields are filled in or not.
I'm a little confused because nothing else has changed other than the form page is now secured https.
Any advice on why this might be and how I could fix it would be much appreciated. Many thanks!

If you are using JavaScript for validation, Open the web page with either Google Inspect or Firefox Firebug, Check whether any of the java script is blocking or not... Its looks like some of the .js file is not loading properly.
If the validation are using ASP.NET validator, then there shouldn't be any issues.

Related

Coldfusion - Redirect website if it hits /folder/index.cfm?

Very new to Coldfusion, but not to web development so hopefully this is an easy question.
We recently changed a link on our website that took us to /folder/index.cfm. I want to make sure that when someone types www.ourwebsite.com/folder that it doesn't take them to /folder/index.cfm and instead to redirect them to another website.
Any pointers?
There are at least three ways it to do this.
Don't even bother with ColdFusion. Have your web server do the redirect. You are going to need to know if it Apache or IIS or whatever. You can then search for how that web server does it.
This might help you with some of that: Custom 404 error page not working on IIS 8.5
You can make a file at /folder/index.cfm and have a file that has
OR with cfscript
<cfscript>
location("newpage.cfm", false, 301)
</cfscript>
Note the addtoken and statuscode are optional. Add token helps because almost no CF website uses this kind of token. The status code helps because tells the browser that this is a permanent move.
You could intercept the request in application.cfc . In fact, in some systems all requested are checked for validity in application.cfc. You might still need a blank page at the target, but at least some ColdFusion is processed
Of all the options, 1 is my favorite, because there really isn't a lot that can be done with requests to missing pages. And the list of potential missing pages is unlimited.

Chronoforms v5 - Content Plugin - Captcha will not validated

I'm having big problems with the Chronoforms V5 - Content Plugin for Joomla.
If I send the form without integrating it in an article the Captcha will validated correctly, but if I use the Content-Plugin in an article, everytime the message "The entered verification code is wrong" appears.
Maybe one of you can help me????
If you have caching on then an older version of the form may be served and the token in that will not match to the current user. In that case you need to use one of the anti-spam methods that does not rely on a matched token like a Google captcha.
If there is more than one form in the page and you have Relative URL set to Yes then the form may be submitting to the 'other' form URL - this would also give a mismatched token.

Silent failure loading page application in iframe over https

Problem
I have an application driving a tab on a client's page. The application works correctly if the user has not enabled FB's "secure browsing" feature. If attempting to view over HTTPS, the iframe doesn't even appear (no errors, no mixed-content warnings). When correctly loading over HTTP, the div with the id "pagelet_app_runner" has an iframe inserted into it and the application content is loaded inside there. Over HTTPS, this div remains empty and the iframe is not inserted into the page. There are no Javascript errors appearing in Firebug or Chrome's equivalent console.
Why I'm Asking Here
The host has a valid SSL certificate and there is no 'mixed content' at the URL in question. I can successfully view the content over HTTP or HTTPS by visiting the URL directly, and I can do the same by visiting apps.facebook.com/canvasURL/tabURL. It is only when attempting to view within a Page Tab that the HTTPS load fails as described above. My application is configured with both regular and secure canvas and tab URLs.
Attempted Debugging
I've recorded some sessions with Charles but since the iframe isn't being inserted into the page, I think I'm coming at the problem after it's already occured. I'm no Charles expert so happy to be corrected here.
Apache isn't seeing any request (in either regular or ssl logs) for the affected loads. non-SSL loads come through as expected in access_log.
Plea for Help
I'm out of ideas for debugging this. Does anybody have any suggestions? What really obvious and stupid mistake might I have made? :)
edit: nicer formatting
Your app canvas URL is https://skinnycomp.nextstudio.com.au/skinnycowcomps/ , which send 404 error to Facebook proxy (request is going through proxy when viewing app via tab), also when viewing your app via apps (https://apps.facebook.com/122381834451561/), again 404... maybe Facebook proxy is ignoring 404 and posting blank...
Try changing canvas URL to https://skinnycomp.nextstudio.com.au/skinnycowcomps/tab, also you can check if your app is accessed via page tab, in signed_request there should be page_id...
23:51:15.379[549ms][total 1667ms] Status: 404[Not Found]
GET https://skinnycomp.nextstudio.com.au/skinnycowcomps/
This is a real longshot since I'm sure you've triple checked all the settings, but the blank page can happen if an invalid url is specified in the Page Tab URL field in the app settings. Since it only happens on https, it would imply something specifically with the Secure Page Tab URL entry. It might be worth checking that again, and maybe even re-saving it or changing it to something else to see if it helps.
I was using relative URLs for the regular and secure tab URL fields. From memory relative URLs here were mandatory at some point in the past. It appears now that a relative URL will still work for HTTP but not for HTTPs. Fix: absolute URLs. Hopefully FB update their field validation to match what's required too.

security warning in IE9 "Show all content"

I'm implementing the facebook Comments plugin on my site. Users get the warning "Show all content" in IE9
This other publisher using the same plugin and it does not bring up the warning.
Can some please help me with this?
Asking users to turn of the mixed content warning in their IE9 is not an option.
We were just looking at this today and our workaround for now was to include the Facebook Library over https (even when the page itself is viewed over http). Although not ideal it gets rid of the mixed content warnings in IE9 until they have fixed their bug.
That seems to be how it was accomplished at www.vg.no linked in the original question, the library is linked via https.
From their code:
<script src="https://connect.facebook.net/nb_NO/all.js"></script>
I have the same problem:
I have a page that's 100% http. But, the facebook javascript (which I call over http), is returning assets (.js, images) over https, which is generating security warnings for IE(9) users.
I have figured out it's the comment widget from Facebook (
Here's an example of a live page on http: with the error:
http://app.gophoto.com/p?id=10173&rkey=CD01891B287792415384&s=1&a=6940
Here's one of the assets that Facebook returns over HTTPS
https://s-static.ak.facebook.com/rsrc.php/v1/y8/r/7Htnnss1mJY.js
(I'm unable to comment (for some reason?) on Joel's answer. But, his suggestion to fetch the initial all.js over https on http sites does not actually work. I've tried it, and it also inherently looks incorrect since even the initial js fetch violates the mixing up of http & https content.)

HTTPS and FormAssembly

We are using a FormAssembly page to collect feedback - it's hosted within an IFrame on the side of our site's master page.
The thing is, that some parts of our site are HTTPS - viewing and posting the form is ok in HTTPS, but the problem comes with the "thank you" page - we are using the configurable custom thank you page (configured within FormAssembly iteself).
Is there are way we can send the desired response page up (perhaps via a hidden field within the posted form?) - this way we can send the HTTPS link for the HTTPS version of the form and the normal HTTP link for the HTTP form?
Thanks!
I asked this question on the FormAssembly forums and it seems that it is supported via "Aliases", which is a "Pro" feature... seems I have to upgrade :s
I just ran into and solved this exact problem. I am embedding formAssembly code onto my https site and was having problems populating hidden fields. I was able to get the hidden fields to populate by changing all of formAssembly's http references to https. However, that broke my thank you page. To fix the thank you page and keep my hidden fields populating, i changed only www.tfaforms.com/responses/processor back to http: and everything worked.