Thursday, July 28, 2011

Chrome Blocking "Insecure Scripts" from Facebook

I ran into an issue this evening while browsing on Chrome 14.0.835.2 dev-m. As I visit various pages, a new feature in Chrome (since version 12, I believe) is blocking "insecure scripts" from running. A few weeks ago, I noticed that an insecure script would be blocked every couple days or so. However, tonight I was seeing the popup on almost every site I visited. I realized that this had to do with Facebook when I visited Facebook and it looked like this.
Keep in mind that I do use Facebook's permanent HTTPS feature, which may have something to do with this. The fact that Facebook is causing issues explained why I was having issues elsewhere around the web: Facebook is embedded in some form on almost every webpage. I confirmed this by checking Chrome's developer tools to see what was being blocked on these pages.
To determine what was causing this, I decided to disable HTTPS in Facebook and see what happened. Turning off HTTPS allowed Facebook to load around the web without causing the "insecure script" warning in Chrome. 

So what was causing this? Looking into Chrome's developer tool, it appears that it is blocking a CSS page from Facebook, which explains why Facebook loads without its styles present as you can see in the image above. Also, Chrome takes issue with a number of lines of JavaScript used within the Facebook page. In total, it found 10 errors and 45 warnings on Facebook's homepage alone.

The only solution as of now is to either disable HTTPS in Facebook (it's not enabled by default, so you'll only be having these issues if you specifically turned it on) or running Chrome without blocking insecure scripts, which isn't recommended, but can be done by following the guide here:

No comments:

Post a Comment