I am using Firefox 13.01 on a Mac os an I am using electronic box a Canadian ISP. I receive the message when i go to https://www.youtube.com/results?search_query=electronicbox and a few others
"you have requested an encrypted page that contains some unencrypted information. Information that you see or enter on this page could easily be read by a third party."
The message clearly states that infomraiton can be read or enter can be read by a third party. I would like to know why "youtube" which has https, or SSL service which I am using still displays that message?
↓ Show more
↑ Show less
-
jscher2000 8 months ago In a future version, Firefox will let you actually block the insecure content from loading. Currently, you only get a warning.
On that page, the following are loaded using HTTP instead of HTTPS:
http://i4.ytimg.com/vi/pzXFzdwFGnk/hq1.jpg
http://i3.ytimg.com/vi/0LbbLLfsFvg/default.jpgPerhaps it is not a coincidence that these images are in the ads I see at the top and bottom of the page. eBay recently was reported to have a similar problem with its ad server in this thread: Ebay sign in page does not have padlock-states only partially encrypted..IE has padlock. Why is ebay's sign in page not secure in Firefox? FF Version 14.0.1.
-
finitarry 8 months ago If it is YouTube, why worry about it? If you were buying something or doing banking, then do worry about it.
-
helenrbeaupre 8 months ago I get this when I go into my gmail or facebook account--not exactly reassuring! As a result, I have NOT used Mozilla firefox for these applications even though I would like to--especially since firefox has automatic spelling corrections along the way. Any suggestions on how I can prevent this message from coming up?
-
jscher2000 8 months ago Hi helenrbeaupre, my guess would be that most insecure content issues in Gmail and Facebook are caused by advertising. You might test an ad blocking add-on and see whether that resolves the issue. I haven't used any of them myself, so can't make a particular recommendation.
-
helenrbeaupre 8 months ago I picked the most popular Firefox ad-blocker (Adblock Plus) and didn't get this annoying error message! Thank you so very much for helping me with this--it has been a nuisance for months and prevented me from using firefox comfortably--despite many other great features!
-
helenrbeaupre 7 months ago Unfortunately, this ad blocker only worked for a couple of times--then I got the error message again. It really does prevent me from using Mozilla Firefox comfortably. Any other suggestions?
-
cor-el 7 months ago You can either disable that error message (there should be a check-box on the pop-up alert and only leave the basic globe instead of the padlock on the location bar) or use a normal http connection until YouTube has sorted this out and only serves secure content if you use a secure https connection.
-
helenrbeaupre 7 months ago Unlike an earlier user, I am not using youtube when I get this message. I am trying to get into my gmail, yahoo mail and facebook--not sites I want to compromise my security with! I would really really appreciate help figuring out this annoying pop-up. Thanks for any suggestions.
-
cor-el 7 months ago You should not be seeing this alert on Gmail or other (premium) e-mail and bank sites.
Facebook can force a secure connection via its settings, but may not work properly with all its applications (games) if you do.
Large sites like Yahoo and Facebook are usually not designed to work properly with a secure connection as they may have ads from a lot of sources, so you may have to access them via a normal http connection. -
helenrbeaupre 7 months ago I like using Mozilla Firefox for Facebook because it has spell check. Are you saying I cannot use Mozilla Firefox for Facebook or Yahoo email? This doesn't seem right to me! Also, I DO get this error message when trying to enter my gmail. Currently, I am using Avira security software. I'm about to stop using Mozilla Firefox because of this error message. Any other solutions or advice is greatly appreciated. Should I try re-loading Firefox?
-
jscher2000 7 months ago You could consider using the NoScript extension as an alternate way to control which content loads into a page. When you first start using NoScript, you will find yourself visiting its menu frequently to unblock sites that you want to be able to run scripts. Over time, as you build your list of approved sites, you won't need to use the menu as often.
-
helenrbeaupre 7 months ago Appreciate your suggestions, but this is sounding too complicated for me--especially since I just read Google Chrome is the most secure browser. I may just start using Chrome. Thanks very much anyway!
-
jodyCoolness 4 months ago The main problem is how this condition is handled. When the browser detects this situation, it breaks it's response into two, with the encrypted portion sent but the unencrypted part delayed until the user answers the dialog. In my case the first response seen by the server is a GET, and the second is a POST containing the form data needed to process the REQUEST (both GET and POST) properly. By the time the sever sees the POST data it has already processed the GET data and deems the response invalid, since there was no POST data to go along with the GET data.
Unless Mozilla decides to restore the preference option to disable this warning (this warning has been irritating people for 4 years now, and there was an option to disable the warning in older versions of Firefox) this bug should be fixed by holding the entire response (POST and GET data, encrypted or not) until the user answers the warning dialog to continue.
When the entire response is sent together it can be properly processed, just like other browsers do. This is a real bug in Firefox.
-
finitarry 4 months ago helenrbeaupre,
Even if you blocked that warning message for mixed content, the situation would still be there, and the icon in the address bar would still not be a secure padlock image. It is possible to block that message from about:config.
security.warn_viewing_mixed - setting to false blocks the warning
-
jscher2000 4 months ago Hi jodyCoolness, I don't understand your scenario: you have two requests to your server, one GET and one POST, and either the POST is not using SSL (why?) or there is an intervening insecure request to an external server (can that be avoided)? Why is there a race condition between your two requests: can't you wait for the POST to complete before making your GET request?
-
jodyCoolness 4 months ago I have a simple Joomla website with a shopping cart component. It contacts paypal using an https, encrypted URL to pass the shopping cart data.
Once the user pays for the items a link is provided by paypal to return to the sellers website. That link takes the user to another paypal page that has an automatic redirect to the seller's website, and a manual link to click if the automatic redirect fails.
As soon as the redirect fires or you click the manual link to return, you get the popup in Firefox (versions 16.0.2 & 18.0.2 for Mac OSX tested).
All of this behavior is dictated by Paypal. For some crazy reason, where other browsers respond with GET and POST data in one http handshake session, occurring in close proximity in time and where they are treated as a singular request to be processed, Mozilla splits the response going back to the seller website (containing order payment confirmation info) into separate GET and POST segments, with the GET segment going out right away and the POST being held back waiting for an answer to the warning prompt to continue or not. No other browsers exhibit this behavior.
As I suggested, all of the data should be returned at the same time, so it is processed as a singular response, not split into two.
The paypal pages reside on a secure, ssl encrypted server. The Joomla website is on an unsecured server, and that's where the response is being returned. The paypal page is encrypted, but contains a form of unencrypted POST data. This data is sent only after the user answers your security warning dialog. However, a GET response with a few data items is sent immediately when the timer fires or the link is clicked to submit the form. The GET data is sent back prematurely, before the user answers the dialog. Who cares if the GET portion is secured; I suspect that's why it is sent apart from the POST data. The form is presented below.
<form method="post" id="merchantredirectform" name="merchantredirectform" action="http://7639.myhost.com/staging/shamansjoy/index.php?option=com_caddy&action=paysuccess" class=""> <input type="hidden" name="mc_gross" value="19.95"> <input type="hidden" name="protection_eligibility" value="Ineligible"> <input type="hidden" name="address_status" value="confirmed"> <input type="hidden" name="item_number1" value=""> <input type="hidden" name="payer_id" value="3NX4GG3FKXTA4"> <input type="hidden" name="tax" value="0.00"> <input type="hidden" name="address_street" value="1 Main St"> <input type="hidden" name="payment_date" value="14:06:31 Feb 14, 2013 PST"> <input type="hidden" name="payment_status" value="Pending"> <input type="hidden" name="charset" value="windows-1252"> <input type="hidden" name="address_zip" value="95131"> <input type="hidden" name="mc_shipping" value="0.00"> <input type="hidden" name="mc_handling" value="0.00"> <input type="hidden" name="first_name" value="buyer"> <input type="hidden" name="mc_fee" value="0.88"> <input type="hidden" name="address_country_code" value="US"> <input type="hidden" name="address_name" value="buyer beware"> <input type="hidden" name="notify_version" value="3.7"> <input type="hidden" name="custom" value="68"> <input type="hidden" name="payer_status" value="verified"> <input type="hidden" name="business" value="testad_1345151796_biz@7639.myhost.com"> <input type="hidden" name="address_country" value="United States"> <input type="hidden" name="num_cart_items" value="1"> <input type="hidden" name="mc_handling1" value="0.00"> <input type="hidden" name="address_city" value="San Jose"> <input type="hidden" name="payer_email" value="testad_1345151513_per@7639.myhost.com"> <input type="hidden" name="verify_sign" value="AFcWxV21C7fd0v3bYYYRCpSSRl31AtHmDldhBfGwbbFzyHfoF1S0qDEI"> <input type="hidden" name="mc_shipping1" value="0.00"> <input type="hidden" name="tax1" value="0.00"> <input type="hidden" name="txn_id" value="9AG49331WD439184V"> <input type="hidden" name="payment_type" value="instant"> <input type="hidden" name="last_name" value="beware"> <input type="hidden" name="address_state" value="CA"> <input type="hidden" name="item_name1" value="Shaman's Joy Salve (Salve) 2 Ounce Jar"> <input type="hidden" name="receiver_email" value="testad_1345151796_biz@7639.myhost.com"> <input type="hidden" name="payment_fee" value="0.88"> <input type="hidden" name="quantity1" value="1"> <input type="hidden" name="receiver_id" value="FBL476UVL2PHL"> <input type="hidden" name="pending_reason" value="paymentreview"> <input type="hidden" name="txn_type" value="cart"> <input type="hidden" name="mc_gross_1" value="19.95"> <input type="hidden" name="mc_currency" value="USD"> <input type="hidden" name="residence_country" value="US"> <input type="hidden" name="test_ipn" value="1"> <input type="hidden" name="transaction_subject" value="68"> <input type="hidden" name="payment_gross" value="19.95">
Thanks for your order
Your payment of $19.95 USD is complete.
You're now going back to Shaman's Joy Test Store.
If you are not redirected within 10 seconds, .
<script type="text/javascript">
PAYPAL.util.Event.onDomReady( function() { setTimeout("document.forms.merchantredirectform.submit()", 4000); } );
</script>
<input name="auth" type="hidden" value="ALElRB3MXSef63k5H5CyhwKmcgkB4vzZh05er2.RxbqXO8u0k9Ws9W28oXCAuK1X4WdvMkoo-D1p3SZmozlKu6Q"> </form>
-
philipp 4 months ago hello jodyCoolness, if you suspect this is a general issue with firefox, please file a bug at bugzilla.mozilla.org. thanks!
-
jscher2000 4 months ago Hi jodyCoolness, I don't know why a GET is being sent, I can't see any reason for that.
In case one of your add-ons is interacting with the form, could you try Firefox's Safe Mode?
First, I recommend backing up your Firefox settings in case something goes wrong. See Back up and restore information in Firefox profiles. (You can copy your entire Firefox profile folder somewhere outside of the Mozilla folder.)
Next, restart Firefox in Firefox's Safe Mode (Troubleshoot Firefox issues using Safe Mode) using
Help > Restart with Add-ons Disabled
In the dialog, click "Start in Safe Mode."
You also could disable any uncommon add-ons here:
orange Firefox button or classic Tools menu > Add-ons > Plugins category
Any change?
-
jodyCoolness 4 months ago As suspected there is no change with add ons disabled.
I don't know what the rationale was to get rid of the option that provides control over this warning, but IMO it should not have been removed as an option.
I don't know why there are two sets of data being returned, or why a subset of the data is considered to be encrypted, which is probably the reason for the two sets of data.
I have googled this issue and see similar complaints about it for 4 years now. Isn't it about time you started listening to your users and fix this?
Firefox has been my favorite browser for many years, but I am hearing more and more feedback from experienced web developers that it is no longer a quality product, in terms of the number of bugs reported and the subsequent releases to fix them.
My post is probably the most detailed you are going to get that provides technical reasons for this aberrant behavior. It is easy enough to setup a scenario to duplicate this issue. Create a page on an unsecured server, say on blogger.com, with a link to make a payment with paypal. Setup a paypal sandbox so it doesn't cost you a thing. Paypal always uses secured URLs, even for its sandbox servers. You will see the same issue when you return from paypal as I do.
-
MonikerTaker 4 months ago I'm not very technical, but thought my answer could possibly help someone. I made sure my version of Firefox was up to date ( discovered this by accident)!, updated all of my Adobe Flash player settings, Adobe reader etc, and then reset my Firefox ( whilst still being able to keep my bookmarks and cookies) . https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-most-problems
I had this error message coming up ALL the time, even when innocently searching the web and now it's totally gone :)
P.S- I also made sure my internet security was updated .
-
jodyCoolness 4 months ago Here is the complete webpage my unsecured form appears on as generated by paypal:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html xmlns:ns1="og" lang="en" xmlns="http://www.w3.org/1999/xhtml" ns1:xmlns="http://ogp.me/ns#"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <!-- Script info: script: merchantpaymentweb, cmd: _flow, template: xpt/Checkout/wps/Redirect, date: Jan 26, 2013 12:44:22 PST; country: US, language: en_US, xslt server: web version: 98.0-5060305 branch: ed6ef1e626ad36c6a8bf098b92b642da0405faba content version: - pexml version: 98.0-5060296 page XSL: Checkout/default/en_US/wps/Redirect.xsl hostname : TF42PRssk7Fx3eD7tQWWRYmQwWSAToBWrdutKWQoJvM rlogid : N4BCjdz6QuXpNGm8sIUgsPMqxlPKr63g8%2b7s%2fgRE7NbReDSv2haEAjGU6%2fa0AFKqTDcDygGJ5%2fs%3d_13cdafc6e7c --> <title>Thanks for your order - PayPal</title><meta http-equiv="refresh" content="5;url=http://7639.myhost.com/staging/shamansjoy/index.php?option=com_caddy&action=paysuccess"> <!--googleoff: all--> <meta name="description" content="PayPal is the safer, easier way to pay online without revealing your credit card number."> <!--googleon: all--> <meta http-equiv="X-UA-Compatible" content="IE=9"><link media="screen" rel="stylesheet" type="text/css" href="https://www.sandbox.paypal.com/MERCHANTPAYMENTWEB-640-20130128-1/css/core/xptdev.css"><link media="screen" rel="stylesheet" type="text/css" href="https://www.sandbox.paypal.com/MERCHANTPAYMENTWEB-640-20130128-1/css/core/global.css"><link rel="stylesheet" type="text/css" href="https://www.sandbox.paypal.com/MERCHANTPAYMENTWEB-640-20130128-1/Checkout/css/checkout.css"> <!--[if lte IE 9]><link media="screen" rel="stylesheet" type="text/css" href="https://www.sandbox.paypal.com/MERCHANTPAYMENTWEB-640-20130128-1/Checkout/css/ie.css"><![endif]--> <link rel="stylesheet" type="text/css" href="https://www.sandbox.paypal.com/css/sandbox.css"><style type="text/css" id="antiClickjack">body{display:none !important;}</style><script type="text/javascript"> if (self === top) { var antiClickjack = document.getElementById("antiClickjack"); antiClickjack.parentNode.removeChild(antiClickjack); } else { top.location = self.location; } </script><script type="text/javascript" src="https://www.sandbox.paypal.com/MERCHANTPAYMENTWEB-640-20130128-1/js/lib/min/global.js"></script><script type="text/javascript">PAYPAL.util.lazyLoadRoot = 'https://www.sandbox.paypal.com/MERCHANTPAYMENTWEB-640-20130128-1';</script><link rel="shortcut icon" href="https://www.sandbox.paypal.com/en_US/i/icon/pp_favicon_x.ico"><link rel="apple-touch-icon" href="https://www.sandbox.paypal.com/en_US/i/pui/apple-touch-icon.png"></head><body class="xptSandbox"><noscript><style type="text/css">body{display:block !important;}</style><p class="nonjsAlert">NOTE: Many features on the PayPal Web site require Javascript and cookies. You can enable both via your browser's preference settings.</p></noscript><div class="" id="stdpage"><div id="header"><h1 class="confidential">Shaman's Joy Test Store</h1></div><hr><div id="content"><div id="headline"><h1 class="accessAid">Thanks for your order</h1> </div><div id="messageBox"></div><div id="main"><form method="post" id="merchantredirectform" name="merchantredirectform" action="http://7639.myhost.com/staging/shamansjoy/index.php?option=com_caddy&action=paysuccess" class=""><input type="hidden" name="mc_gross" value="19.95"><input type="hidden" name="protection_eligibility" value="Ineligible"><input type="hidden" name="address_status" value="confirmed"><input type="hidden" name="item_number1" value=""><input type="hidden" name="payer_id" value="3NX4GG3FKXTA4"><input type="hidden" name="tax" value="0.00"><input type="hidden" name="address_street" value="1 Main St"><input type="hidden" name="payment_date" value="15:13:51 Feb 14, 2013 PST"><input type="hidden" name="payment_status" value="Pending"><input type="hidden" name="charset" value="windows-1252"><input type="hidden" name="address_zip" value="95131"><input type="hidden" name="mc_shipping" value="0.00"><input type="hidden" name="mc_handling" value="0.00"><input type="hidden" name="first_name" value="buyer"><input type="hidden" name="mc_fee" value="0.88"><input type="hidden" name="address_country_code" value="US"><input type="hidden" name="address_name" value="buyer beware"><input type="hidden" name="notify_version" value="3.7"><input type="hidden" name="custom" value="70"><input type="hidden" name="payer_status" value="verified"><input type="hidden" name="business" value="testad_1345151796_biz@7639.myhost.com"><input type="hidden" name="address_country" value="United States"><input type="hidden" name="num_cart_items" value="1"><input type="hidden" name="mc_handling1" value="0.00"><input type="hidden" name="address_city" value="San Jose"><input type="hidden" name="payer_email" value="testad_1345151513_per@7639.myhost.com"><input type="hidden" name="verify_sign" value="AFcWxV21C7fd0v3bYYYRCpSSRl31APWQ6iv6bpdsA3tZsF1yky.2GKww"><input type="hidden" name="mc_shipping1" value="0.00"><input type="hidden" name="tax1" value="0.00"><input type="hidden" name="txn_id" value="07U12500FA226742J"><input type="hidden" name="payment_type" value="instant"><input type="hidden" name="last_name" value="beware"><input type="hidden" name="address_state" value="CA"><input type="hidden" name="item_name1" value="Shaman's Joy Salve (Salve) 2 Ounce Jar"><input type="hidden" name="receiver_email" value="testad_1345151796_biz@7639.myhost.com"><input type="hidden" name="payment_fee" value="0.88"><input type="hidden" name="quantity1" value="1"><input type="hidden" name="receiver_id" value="FBL476UVL2PHL"><input type="hidden" name="pending_reason" value="paymentreview"><input type="hidden" name="txn_type" value="cart"><input type="hidden" name="mc_gross_1" value="19.95"><input type="hidden" name="mc_currency" value="USD"><input type="hidden" name="residence_country" value="US"><input type="hidden" name="test_ipn" value="1"><input type="hidden" name="transaction_subject" value="70"><input type="hidden" name="payment_gross" value="19.95"><div class="layout1"><div class="rounded maxWidth"><div class="top outer"></div><div class="body outer nobg clearfix"><div id="secureCheckout" class="lockLogo"><span class="spriteLogo paypallock" title="PayPal"></span></div><h2>Thanks for your order</h2><p>Your payment of $19.95 USD is complete.</p><p>You're now going back to <strong class="confidential">jane thompson's Test Store</strong>.</p><p> If you are not redirected within 10 seconds, <span class="buttonAsLink"><input type="submit" value="click here" id="merchantReturnLink" name="merchant_return_link" class=""></span>.</p><img src="https://altfarm.mediaplex.com/ad/bk/3484-16283-2054-9?MerchPayFlow=1&mpuid=;1P5703642H1517524;0;USD" border="0" alt=""></div><div class="bottom outer nobg"></div></div><script type="text/javascript"> PAYPAL.util.Event.onDomReady( function() { setTimeout("document.forms.merchantredirectform.submit()", 4000); } ); </script></div><input name="auth" type="hidden" value="ACEXWel5vgVCbZoy39-bRP9X4mMCB9nOxRR.MfydwvyqJtmkVy8BycPPQNLG7d0fWCqUxxHpfy-DISl-n1CUHGw"></form></div></div><div id="footerhps"><p>PayPal. The safer, easier way to pay.</p><p>For more information, read our <a target="_blank" href="https://www.sandbox.paypal.com/us/cgi-bin/merchantpaymentweb?cmd=p/gen/ua/ua_pop-outside&country.x=US" onClick="PAYPAL.core.openWindow(event, {width: 640, height: 300})">User Agreement</a> and <a target="_blank" href="https://www.sandbox.paypal.com/us/cgi-bin/merchantpaymentweb?cmd=p/gen/ua/policy_privacy_pop-outside&country.x=US" onClick="PAYPAL.core.openWindow(event, {width: 640, height: 300})">Privacy Policy</a>.</p><div id="footerSandbox"><div id="sandboxFooter"><div class="nav-footer"></div><div id="testsite"><h1>Test Site</h1></div></div></div></div></div><script type="text/javascript" src="https://www.sandbox.paypal.com/MERCHANTPAYMENTWEB-640-20130128-1/js/lib/min/widgets.js"></script> <!-- SiteCatalyst Code Copyright 1997-2005 Omniture, Inc. More info available at http://www.omniture.com --> <script type="text/javascript" src="https://www.sandbox.paypal.com/MERCHANTPAYMENTWEB-640-20130128-1/js/site_catalyst/pp_jscode_paypalsandboxdev.js"></script> <script type="text/javascript"> s.prop1="xpt/Checkout/wps/Redirect"; s.prop6="6F794158BL866512E"; s.prop7="personal"; s.prop8="verified"; s.prop9="unrestricted"; s.prop10="US"; s.prop20="1360883642"; s.prop35="in"; s.prop40="ea67dd56d0814"; s.prop50="en_US"; s.prop74="70"; s.eVar5="US"; s.eVar7="personal:verified:unrestricted"; s.eVar19="personal"; s.eVar28="tnc-0-wps-groupzero"; s.eVar31="xpt/Checkout/wps/Redirect::_flow"; s.eVar50="N4BCjdz6QuXpNGm8sIUgsPMqxlPKr63g8%2b7s%2fgRE7NbReDSv2haEAjGU6%2fa0AFKqTDcDygGJ5%2fs%3d_13cdafc6e7c"; s.pageName="xpt/Checkout/wps/Redirect::_flow"; s.prop56="no"; s.prop18=""; s.prop5="1P5703642H1517524"; s.prop16=""; s.prop34="PayPalCredit:Servicing:CO:NoTransactions"; </script> <script type="text/javascript"><!-- /************* DO NOT ALTER ANYTHING BELOW THIS LINE ! **************/ function scOnload(){var s_code=s.t();if(s_code)document.write(s_code);} if(window.addEventListener){ window.addEventListener('load',scOnload,false); }else if(window.attachEvent){ window.attachEvent('onload', scOnload); }; if(navigator.appVersion.indexOf('MSIE')>=0)document.write(unescape('%3C')+'\!-'+'-') //--> </script><noscript><img src="//paypal.112.2O7.net/b/ss/paypalsandboxdev/1/H.6--NS/0?pageName=NonJavaScript" height="1" width="1" border="0" alt="" /></noscript> <!--/DO NOT REMOVE/--> <!-- End SiteCatalyst Code --> </body></html>
-
jscher2000 4 months ago Hi jodyCoolness, thank you for the expanded source. There is a meta refresh back to your site (without parameters) after 5 seconds, while a script is designed to submit the form 4 seconds after the DOM of the page is complete.
<meta content="5;url=http://7639.myhost.com/staging/shamansjoy/index.php?option=com_caddy&action=paysuccess" http-equiv="refresh">
<script type="text/javascript"> PAYPAL.util.Event.onDomReady( function() { setTimeout("document.forms.merchantredirectform.submit()", 4000); } ); </script>If there were no warning, the refresh would never run because the post will preempt the refresh. But there's no way as the website to prevent the warning from displaying.
I can't think of a good reason for the meta refresh to be in there -- if you want the form to submit in order to display all the data to the customer. There is
a <noscript> blocktext informing the user to submit the form manually if scripting is disabled. Is there a way to get the meta refresh removed? -
jodyCoolness 4 months ago I seriously doubt I could persuade paypal to change anything. Your analysis is appreciated, but I distinctly see your position as biased against a mozilla solution, at least you haven't offered significant discussion concerning the split as I call it.
The paypal page is a single page. You may be right about how paypal has structured the page (I think the meta refresh tag is redundant and insignificant and as you point out will not fire), but I don't see a problem with the way other browsers process the response; it's always received as singular and monolithic.
I haven't looked into the bowels of the Joomla CMS request dispatch code, so I am not certain why responses from mozilla and safari for example, differ in how Joomla processes them.
-
jscher2000 4 months ago Hi jodyCoolness, my goal here on the support forum is to look for immediate solutions or workarounds, and it sounds as though you're stuck with PayPal's page as is.
It's possible this problem is a side effect of changes made in recent years to the way dialogs work. ??
I don't know whether Firefox should always delay or disregard a scheduled refresh or other navigation if it is waiting for user input on a dialog such as the OK/Cancel for an insecure form submission. It's hard to think of the scenarios where that might come up.
You probably should go ahead and file a bug for this in Bugzilla. I haven't searched to see whether anyone has filed it before.
-
jodyCoolness 4 months ago OK, I'll see if I can distill this conversation down and do that.
Thanks for your effort in trying to understand the problem.
-
jscher2000 4 months ago In searching further about this, some users have zeroed in on how the return to your site is configured. Based on what I have read, the secure-to-insecure warning arises when you have set one of the HTML variables (rm, for Return Method) to get the payment variables returned to your site using a POST. It apparently does not arise if you have rm set to use a GET.
Since you want the payment variables, you probably have this in your form that submits the transaction to PayPal:
<input type="hidden" name="rm" value="2">
I still don't understand why the PayPal page includes both the POST form described in the documentation AND the 5-second meta refresh that ends up kicking in before you can OK the dialog. I find it hard to believe that was intentional; maybe there's a bug in the sandbox?
For reference, PayPal describes the three options for rm as follows:
0 - "all shopping cart payments use the GET method" (default)
1 - "the buyer's browser is redirected to the return URL by using the GET method, but no payment variables are included"
2 - "the buyer's browser is redirected to the return URL by using the POST method, and all payment variables are included"
Auto-return seems to always use a GET, so people reporting this has solved the problem must not miss getting the variables.
