X
Tap here to go to the mobile version of the site.

Support Forum

script won't run in firefox but does in IE, chrome and safari

Posted

i have a landing page with a web form script, www.wholewoman.com/newpages/landing/helpforcystocele.html. the script does not show up in firefox. further, none of our videos (served from kaltura (CDN) show up in firefox. nor does the registration script for our drupal forum. the good news is there are a lot of firefox users in the world. the bad news is that none of them can opt into my list, watch my videos or register for my forum. help!

i have a landing page with a web form script, www.wholewoman.com/newpages/landing/helpforcystocele.html. the script does not show up in firefox. further, none of our videos (served from kaltura (CDN) show up in firefox. nor does the registration script for our drupal forum. the good news is there are a lot of firefox users in the world. the bad news is that none of them can opt into my list, watch my videos or register for my forum. help!

Chosen solution

With a .html page, it's impossible to include HTTP headers in the page. It would have to be in a configuration file external to the page (unless you have a very unusual configuration on your server).

On an Apache server, headers sometimes are set in a .htaccess file in the root of your site. If you are viewing the site in an FTP program or extension, make sure hidden files are displayed.

Read this answer in context 1

Additional System Details

Installed Plug-ins

  • Shockwave Flash 11.8 r800
  • Displays Java applet content, or a placeholder if Java is not installed.
  • Plugin that detects installed Citrix Online products (visit www.citrixonline.com).
  • WebEx64 General Plugin Container Version 203
  • The Flip4Mac WMV Plugin allows you to view Windows Media content using QuickTime.
  • The Google Earth Plugin allows you to view 3D imagery and terrain in your web browser.
  • LogMeIn remote control components
  • Office Live Update v1.0
  • iPhoto6

Application

  • User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:11.0) Gecko/20100101 Firefox/11.0

More Information

{"libraryVersions": "Troubleshoot data provider failed: libraryVersions\nTypeError: Cc['@mozilla.org/security/nssversion;1'] is undefined", "javaScript": "Troubleshoot data provider failed: javaScript\nTypeError: winEnumer.getNext().QueryInterface(Ci.nsIInterfaceRequestor).getInterface(Ci.nsIDOMWindowUtils).isIncrementalGCEnabled is not a function", "accessibility": {"isActive": false}, "application": {"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:11.0) Gecko/20100101 Firefox/11.0", "supportURL": "http://support.mozilla.com/1/firefox/11.0/Darwin/en-US/", "version": "11.0", "name": "Firefox"}, "modifiedPreferences": {"privacy.item.offlineApps": true, "browser.places.smartBookmarksVersion": 2, "dom.max_chrome_script_run_time": 0, "gfx.blacklist.webgl.msaa": 4, "print.print_unwriteable_margin_left": 25, "print.print_command": "", "print.print_unwriteable_margin_bottom": 56, "browser.places.importBookmarksHTML": false, "print.print_downloadfonts": false, "places.last_vacuum": 1295809974, "network.cookie.prefsMigrated": true, "accessibility.typeaheadfind.flashBar": 0, "print.print_in_color": true, "privacy.clearOnShutdown.offlineApps": true, "browser.fixup.alternate.enabled": false, "print.print_unwriteable_margin_top": 25, "browser.startup.homepage_override.mstone": "rv:11.0", "print.print_oddpages": true, "browser.privatebrowsing.autostart": true, "print.print_paper_data": 0, "privacy.cpd.cookies": false, "browser.places.migratePostDataAnnotations": false, "print.print_margin_top": "0.5", "print.print_paper_size_unit": 0, "privacy.sanitize.sanitizeOnShutdown": true, "print.print_orientation": 0, "places.history.enabled": false, "print.print_margin_right": "0.5", "browser.startup.homepage": "http://livepage.apple.com/", "privacy.sanitize.migrateFx3Prefs": true, "browser.places.importDefaults": false, "print.print_paper_height": " 11.00", "security.warn_viewing_mixed": false, "browser.places.leftPaneFolderId": -1, "privacy.donottrackheader.enabled": true, "print.print_evenpages": true, "privacy.sanitize.timeSpan": 0, "browser.cache.disk.smart_size.first_run": false, "print.print_page_delay": 50, "print.print_scaling": " 1.00", "extensions.lastAppVersion": "11.0", "browser.history_expire_days.mirror": 180, "print.print_margin_left": "0.5", "browser.zoom.full": false, "print.print_printer": "", "privacy.clearOnShutdown.cookies": false, "print.print_paper_width": " 8.50", "network.cookie.cookieBehavior": 1, "print.print_paper_size_type": 1, "print.print_pagedelay": 500, "print.print_unwriteable_margin_right": 25, "browser.cache.disk.capacity": 1048576, "browser.startup.homepage_override.buildID": "20120312181643", "print.print_bgimages": false, "print.print_reversed": false, "print.print_margin_bottom": "0.5", "places.history.expiration.transient_current_max_pages": 104858, "print.print_shrink_to_fit": true, "browser.cache.disk.smart_size_cached_value": 1048576, "print.print_to_file": false, "places.database.lastMaintenance": 1377055032, "places.history.expiration.transient_optimal_database_size": 167772160, "print.print_bgcolor": false, "browser.places.updateRecentTagsUri": false}, "extensions": [{"version": "1.2", "name": "Adobe Acrobat - Create PDF", "isActive": true, "id": "web2pdfextension@web2pdf.adobedotcom"}, {"version": "3.6.4", "name": "Charles Autoconfiguration", "isActive": true, "id": "{3e9a3920-1b27-11da-8cd6-0800200c9a66}"}, {"version": "1.1a", "name": "Troubleshooter", "isActive": true, "id": "troubleshooter@mozilla.org"}, {"version": "3.0.14", "name": "Zotero", "isActive": true, "id": "zotero@chnm.gmu.edu"}], "graphics": "Troubleshoot data provider failed: graphics\n[Exception... \"Component returned failure code: 0x80004001 (NS_ERROR_NOT_IMPLEMENTED) [nsIDOMParser.parseFromString]\" nsresult: \"0x80004001 (NS_ERROR_NOT_IMPLEMENTED)\" location: \"JS frame :: chrome://troubleshooter/content/Troubleshoot.jsm :: graphics :: line 296\" data: no]", "userJS": {"exists": false}}

cor-el
  • Top 10 Contributor
  • Moderator
17528 solutions 158483 answers

Which script are you referring to?

I notice that one of the scripts is send as text/html

Which script are you referring to? I notice that one of the scripts is send as text/html *https://wholewoman.infusionsoft.com/app/form/iframe/da49db6629f57f3996bddf2b531f03ca

Question owner

that is the webform which is served by infusionsoft. for some reason, it doesn't show up in firefox although other browsers display it fine. any thoughts or suggestions would be most appreciated!

that is the webform which is served by infusionsoft. for some reason, it doesn't show up in firefox although other browsers display it fine. any thoughts or suggestions would be most appreciated!
jscher2000
  • Top 10 Contributor
8758 solutions 71665 answers

The Error Console has this curious message:

CSP WARN:  Directive default-src http://wholewoman.com:80 violated by https://wholewoman.infusionsoft.com/app/form/iframe/da49db6629f57f3996bddf2b531f03ca

When I look at the HTTP headers for your page, it has this custom header (see attached):

x-content-security-policy:allow 'self';

Firefox apparently interprets this to block the script from the infusionsoft.com URL.

I'm not sure how that header is being added. It could be part of a set of protections against cross-site scripting (XSS) or cross-site request forgery (CSRF) attacks in your server control panel or CMS or in a plugin.

The Error Console has this curious message: CSP WARN: Directive default-src http://wholewoman.com:80 violated by https://wholewoman.infusionsoft.com/app/form/iframe/da49db6629f57f3996bddf2b531f03ca When I look at the HTTP headers for your page, it has this custom header (see attached): x-content-security-policy:allow 'self'; Firefox apparently interprets this to block the script from the infusionsoft.com URL. I'm not sure how that header is being added. It could be part of a set of protections against cross-site scripting (XSS) or cross-site request forgery (CSRF) attacks in your server control panel or CMS or in a plugin.

Question owner

great...thanks. i've gone to the mozilla developer network and they have a good breakdown on how to configure the content security policy, but they don't tell you where to put in the code. is this something that goes into each web page or through preferences? i don't know how to change what shows up in the http headers, but at least we appear to be on the right track. i've spoken to my host tech support and it doesn't appear to be a server issue and based on the developers network, it appears to be a firefox policy. i just don't know where to go to change it. thoughts?

great...thanks. i've gone to the mozilla developer network and they have a good breakdown on how to configure the content security policy, but they don't tell you where to put in the code. is this something that goes into each web page or through preferences? i don't know how to change what shows up in the http headers, but at least we appear to be on the right track. i've spoken to my host tech support and it doesn't appear to be a server issue and based on the developers network, it appears to be a firefox policy. i just don't know where to go to change it. thoughts?
jscher2000
  • Top 10 Contributor
8758 solutions 71665 answers

Chosen Solution

With a .html page, it's impossible to include HTTP headers in the page. It would have to be in a configuration file external to the page (unless you have a very unusual configuration on your server).

On an Apache server, headers sometimes are set in a .htaccess file in the root of your site. If you are viewing the site in an FTP program or extension, make sure hidden files are displayed.

With a .html page, it's impossible to include HTTP headers in the page. It would have to be in a configuration file external to the page (unless you have a very unusual configuration on your server). On an Apache server, headers sometimes are set in a .htaccess file in the root of your site. If you are viewing the site in an FTP program or extension, make sure hidden files are displayed.
cor-el
  • Top 10 Contributor
  • Moderator
17528 solutions 158483 answers

Note that Firefox has a pref (security.csp.enable) to disable CSP.

Note that Firefox has a pref (security.csp.enable) to disable CSP.

Question owner

i found the content security policy line in the root .htaccess file and commented it out and voila! thanks so much for your help.

i found the content security policy line in the root .htaccess file and commented it out and voila! thanks so much for your help.
softcorner 0 solutions 5 answers

Same issue here. Can you indicate which line in .htaccess needs to be commented?

Same issue here. Can you indicate which line in .htaccess needs to be commented?
jscher2000
  • Top 10 Contributor
8758 solutions 71665 answers

Hi softcorner, do you see any lines that mention this header:

X-Content-Security-Policy
Hi softcorner, do you see any lines that mention this header: X-Content-Security-Policy
cor-el
  • Top 10 Contributor
  • Moderator
17528 solutions 158483 answers

Note that current Firefox versions use "Content-Security-Policy" ("Content-Security-Policy" is the official W3C defined header)

Note that the old headers with the "X-" prefix are still supported, but this may change.

Note that current Firefox versions use "Content-Security-Policy" ("Content-Security-Policy" is the official W3C defined header) *http://www.w3.org/TR/CSP/ Note that the old headers with the "X-" prefix are still supported, but this may change. *http://mxr.mozilla.org/mozilla-release/source/content/base/src/nsDocument.cpp#2497

Modified by cor-el

softcorner 0 solutions 5 answers

Nop. My facebook page worked fine before firefox update and it is still working fine in IE.

https://www.facebook.com/TaxEaglesLLC/app_190322544333196

When I disabled CSP from my firefox (using about:config) then I can again see it on firefox. But all other general users who don't know how to disable this stupid update will NEVER see the content in firefox (this is one of my clients website).

I think firefox needs to disable this option by default.

I see that someone has solved it by adjusting .htaccess but don't know how.

Nop. My facebook page worked fine before firefox update and it is still working fine in IE. https://www.facebook.com/TaxEaglesLLC/app_190322544333196 When I disabled CSP from my firefox (using about:config) then I can again see it on firefox. But all other general users who don't know how to disable this stupid update will NEVER see the content in firefox (this is one of my clients website). I think firefox needs to disable this option by default. I see that someone has solved it by adjusting .htaccess but don't know how.
cor-el
  • Top 10 Contributor
  • Moderator
17528 solutions 158483 answers

There is also mixed content on the page that is blocked by Firefox and a shield icon is displayed.

Red bar in the Web Console (Firefox/Tools > Web Developer;Ctrl+Shift+K):

Loading mixed (insecure) active content on a secure page "http://www.taxeagles.com/component/content/article/2-uncategorised/uncategorised/21-specialoffer?tmpl=component&print=1&page="[Learn More]
GET http://www.youtube.com/embed/Hh1aGhDpd-k [Mixed Content]
There is also mixed content on the page that is blocked by Firefox and a shield icon is displayed. Red bar in the Web Console (Firefox/Tools > Web Developer;Ctrl+Shift+K): <pre><nowiki>Loading mixed (insecure) active content on a secure page "http://www.taxeagles.com/component/content/article/2-uncategorised/uncategorised/21-specialoffer?tmpl=component&print=1&page="[Learn More]</nowiki></pre> <pre><nowiki>GET http://www.youtube.com/embed/Hh1aGhDpd-k [Mixed Content] </nowiki></pre> *https://www.facebook.com/TaxEaglesLLC/app_190322544333196
softcorner 0 solutions 5 answers

OK then what? It worked fine before the update!!! I don't want to buy an SSl for the website at an extra cost as it is not needed. This script placed on facebook page worked fine before the update. Please if you the answer how to make this page available to all firefox users then reply. I don't have time to read more as I have done that already. If no solution then we have to make sure we place a warning on our website that "use IE if you want to see our facebook page and get special offers". That will be the start of FF death!!! if more people start doing that.

OK then what? It worked fine before the update!!! I don't want to buy an SSl for the website at an extra cost as it is not needed. This script placed on facebook page worked fine before the update. Please if you the answer how to make this page available to all firefox users then reply. I don't have time to read more as I have done that already. If no solution then we have to make sure we place a warning on our website that "use IE if you want to see our facebook page and get special offers". That will be the start of FF death!!! if more people start doing that.
jscher2000
  • Top 10 Contributor
8758 solutions 71665 answers

Whoops, you guys got way ahead of me.

Hi softcorner, when I visit that URL I get active mixed content blocked. This is caused by framing HTTP content on HTTPS pages. It is completely unrelated to site policy headers and is a default rule of Firefox applicable to all sites. You need to serve HTTPS to avoid this problem.

''Whoops, you guys got way ahead of me.'' Hi softcorner, when I visit that URL I get active mixed content blocked. This is caused by framing HTTP content on HTTPS pages. It is completely unrelated to site policy headers and is a default rule of Firefox applicable to all sites. You need to serve HTTPS to avoid this problem.

Modified by jscher2000

softcorner 0 solutions 5 answers

jscher2000 please do not send me recycled info. I KNOW that. This SAME page worked fine in older FF and STILL working in IE and other browsers. You are not providing any solution and keep repeating the same info that is known. Let me be specific:

"Is there a .htaccess solution as mentioned by lannygoodmann who seems to fixed the problem using .htaccess fix w/o serving SSL?"

If you know the answer please reply.

Thanks

jscher2000 please do not send me recycled info. I KNOW that. This SAME page worked fine in older FF and STILL working in IE and other browsers. You are not providing any solution and keep repeating the same info that is known. Let me be specific: "Is there a .htaccess solution as mentioned by lannygoodmann who seems to fixed the problem using .htaccess fix w/o serving SSL?" If you know the answer please reply. Thanks
jscher2000
  • Top 10 Contributor
8758 solutions 71665 answers

Hi softcorner, will it be the death of Google Chrome, too? (see attached)

But seriously, mixed content protection is live now for the majority of users, and using SSL is part of Facebook's guidelines for embedded apps.

If you don't want to use SSL on your site, maybe you can add a link near the top of your FB page that says something like "If you have trouble viewing this page on Facebook, view it on our site."

Hi softcorner, will it be the death of Google Chrome, too? (see attached) But seriously, mixed content protection is live now for the majority of users, and using SSL is part of Facebook's guidelines for embedded apps. If you don't want to use SSL on your site, maybe you can add a link near the top of your FB page that says something like "If you have trouble viewing this page on Facebook, view it on our site."

Modified by jscher2000

jscher2000
  • Top 10 Contributor
8758 solutions 71665 answers

Hi softcorner, as I stated, the earlier posts in this thread have NOTHING TO DO with your issue.

Hi softcorner, as I stated, the earlier posts in this thread have NOTHING TO DO with your issue.
softcorner 0 solutions 5 answers

O well then the old days of using facebook for marketing are gone seems like! Our clients who want to use facebook and similar social media are poor and can't afford ssl buying every year. I think this CSP option should be set to disabled as default with warnings, at least during transition period.

Thanks for your input.

O well then the old days of using facebook for marketing are gone seems like! Our clients who want to use facebook and similar social media are poor and can't afford ssl buying every year. I think this CSP option should be set to disabled as default with warnings, at least during transition period. Thanks for your input.

Modified by softcorner

cor-el
  • Top 10 Contributor
  • Moderator
17528 solutions 158483 answers

As posted already, your problem has nothing to do with CSP, but with blocking active mixed content.

You can see that there is a shield icon on the left end of the location bar before the "Site Identity Button" (globe/padlock) on the location bar indicating that mixed content is blocked.

This extension can allow such active mixed content by toggling the security.mixed_content.block_active_content pref.
Note that this is a pref that works globally

As posted already, your problem has nothing to do with CSP, but with blocking active mixed content. You can see that there is a shield icon on the left end of the location bar before the "Site Identity Button" (globe/padlock) on the location bar indicating that mixed content is blocked. *https://support.mozilla.org/kb/how-does-content-isnt-secure-affect-my-safety *https://developer.mozilla.org/Security/MixedContent This extension can allow such active mixed content by toggling the security.mixed_content.block_active_content pref.<br /> Note that this is a pref that works globally *https://addons.mozilla.org/firefox/addon/toggle-mixed-active-content/