I’ve ran into another issue with mixed content that I’d like to bring up.
The SSL Problem
As you probably know, it’s 2019 and the push for websites to use HTTPS (i.e. SSL) is growing. That’s definitely not a bad thing, but it presents a problem for websites that don’t use HTTPS.
In the current version of Surreal, we force HTTPS on all pages except the editor. In the editor, you’ll get bumped to the HTTP or HTTPS version depending on your website’s URL. We did this because if we forced HTTPS and you’re editing a website that doesn’t support HTTPS, you’d see a mixed content warning in your browser:
However, as time progressed browsers stopped showing this warning and, instead, they just stopped loading insecure content. That means your website would appear “naked,” without any styles or scripts.
These days, browsers are very aggressive in letting you know a website is not being served over HTTPS. For example, load any website over HTTP and you’ll see this in your address bar:
Firefox goes even further and shows this message when you’re filling out a form on an HTTP website:
How it Affects You
This isn’t a bad thing. Users should be informed of insecure websites. However, we find ourselves in a transitional period where many websites are still using HTTP and that creates a bit of a problem.
In Surreal CMS 7.0, all pages use SSL, even the editor. This provides more security for you and your users, and it keeps up with browsers and their aggressive stance against insecure websites.
Unfortunately, this means if your websites aren’t using HTTPS, you probably won’t see any scripts or styles in the editor — not a great experience.
This is a tough problem from a development standpoint.
Of course, the easiest way to prevent this is to secure your websites. SSL certificates have been somewhat expensive in the past, but these days many hosts offer them for free through Let’s Encrypt.
I’d love to tell you that I have a solution for this problem, but as of right now I don’t. I’m more than happy to tell everyone to switch to HTTPS, why HTTPS is important, etc. — but realistically I know not everyone will be able to make the switch right away.
I’ve experimented with swapping links in the editor — basically changing the source to load insecure content through a secure proxy that we control. So far, I’ve had limited success with this, and I’m not confident that this approach will resolve the issue 100%, but I’ll continue looking into it.
This problem has held up progress on the new version quite a bit, and today I’ve decided that launching the beta is more important than solving this right away. I’ll definitely circle back to it, but in the meantime I’m going to focus on getting the new website done and the beta launched.
If you have any questions or thoughts on this, I’d love to hear them!