Magento – Magento Admin panel will not fully load Edit Categories due to AJAX call to a non secure endpoint

adminhttpssecureurl

We have a Magento site that was copied over from an existing Magento site we have, so all products, setting, etc are simply copied to a new domain.

This was done months ago but I am just now trying to use the site. Frontend of site seems to be working great.

Admin panel, in the edit categories page, it keeps "Loading"

I look at the Browser COnsole on this page instantly see this problem….

Mixed Content: The page at  
'https://www.domain.com/index.php/admin/catalog_category/index/key/7ac5ce7838cd82114132424faf2b5656/'  
was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint  
'http://www.domain.com/index.php/admin/catalog_category/edit/key/40eeadefd754406a47f2993be70c4472/?isAjax=true'.  
This request has been blocked; the content must be served over HTTPS.

So it appears this page is making an AJAX call to http://www.domain.com/index.php/admin/catalog_category/edit/key/40eeadefd754406a47f2993be70c4472/?isAjax=true notice the http instead of https

I think fixing this will fix our issues.

In admin config I saw this setting: Use Secure URLs in Admin was set to No so I changed it to yes but no luck on the error going away just yet.

Any ideas how to resolve this please?

UPDATE

It seems my Admin setting for “Use Secure URLs in Adminis not saving! So changing it;s value toyesis not saving and end up staying asno` so it seems we have more issues. The solution to the admin setting saving could fix the other issue.

Any ideas here?

Best Answer

I got it fixed now, i'll explain the process below...

My admin panel was loading through HTTPS URL's due to our server configuration. However in the Magento Admin panel this option

Config > General > Web Use Secure URLs in Admin was set to NO

enter image description here

I knew changing this to Yes would probably fix all our admin panel issues. However changing it to yes and hitting Save Config would submit and show a message indicating it had save the config. However the value for that option above still showed up as No!

So in Chrome Developer Tools, I viewed the source of the webpage and found the <form> that was on the options page.

enter image description here

After changing the Form URL to https in the DOM, I then changed the option to a yes value again and hit Save Config. This time since it made my POST to the correct https URL, it actually made the save and updated the value!

With that updated, all my admin problems are resolved!

Related Solutions

Magento – How to make https URL to http

There is a function just for that, called shouldUrlBeSecure located in app/code/core/Mage/Core/Model/Config.php on line 1477.

Here is the complete function:

/**
 * Check whether given path should be secure according to configuration security requirements for URL
 * "Secure" should not be confused with https protocol, it is about web/secure/*_url settings usage only
 *
 * @param string $url
 * @return bool
 */
public function shouldUrlBeSecure($url)
{
    if (!Mage::getStoreConfigFlag(Mage_Core_Model_Store::XML_PATH_SECURE_IN_FRONTEND)) {
        return false;
    }

    if (!isset($this->_secureUrlCache[$url])) {
        $this->_secureUrlCache[$url] = false;
        $secureUrls = $this->getNode('frontend/secure_url');
        foreach ($secureUrls->children() as $match) {
            if (strpos($url, (string)$match) === 0) {
                $this->_secureUrlCache[$url] = true;
                break;
            }
        }
    }

    return $this->_secureUrlCache[$url];
}

To see which URLs should be secure you can add a simple Mage::log($secureUrls) inside the if statement. This is what my log entry looked like:

2014-02-12T11:55:26+00:00 DEBUG (7): Mage_Core_Model_Config_Element Object
(
    [install] => /install/wizard/checkSecureHost
    [customer] => /customer/
    [sales] => /sales/
    [authorizenet_paygate] => /paygate/authorizenet_payment
    [checkout_onepage] => /checkout/onepage
    [checkout_multishipping] => /checkout/multishipping
    [paypal_express] => /paypal/express
    [paypal_standard] => /paypal/standard
    [paypal_express_callbackshippingoptions] => paypal/express/callbackshippingoptions
    [googlecheckout_redirect] => /googlecheckout/redirect/
    [googlecheckout_beacon] => /googlecheckout/api/beacon/
    [googlecheckout_api] => /googlecheckout/api/
    [review_customer] => /review/customer/
    [tag_customer] => /tag/customer/
    [wishlist] => /wishlist/
    [paypaluk_express] => /paypaluk/express
    [rss_catalog_review] => /rss/catalog/review
    [rss_order_new] => /rss/order/new
    [rss_catalog_notifystock] => /rss/catalog/notifystock
    [centinel] => /centinel/
    [newsletter_manage] => /newsletter/manage/
    [downloadable] => /downloadable/customer/
    [downloadable_download] => /downloadable/download/
    [ogone_api] => /ogone/api
    [persistent_onepage_register] => /persistent/index/saveMethod
    [checkout_cart] => /checkout/cart
    [storecredit_info] => /storecredit/info/
    [giftcard_customer] => /giftcard/customer/
    [enterprise_pbridge_pbridge] => /enterprise_pbridge/pbridge/
    [invitation] => /invitation/
)

Now to figure out how Magento switches HTTP to HTTPS I think you would most likely have dive into the Zend framework in the lib inside lib/Zend/Http/* because it contains files of most interest. Well, anyway hope this helped. Good luck!

Magento Admin – Is Adding Secret Key to URLs Necessary?

This option is necessary to prevent against CSRF attacks:

Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf[1]) or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.[2] Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.

There is no speed benefit to disabling this option and it opens your store up to potential attack. I recommend to leave this option enabled.

Sources:

_{http://en.wikipedia.org/wiki/Cross-site_request_forgery}

Best Answer

Related Solutions

Magento – How to make https URL to http

Magento Admin – Is Adding Secret Key to URLs Necessary?

Related Topic