• Welcome to Overclockers Forums! Join us to reply in threads, receive reduced ads, and to customize your site experience!

Embedded images not showing up in Google Chrome 83 and later

Overclockers is supported by our readers. When you click a link to make a purchase, we may earn a commission. Learn More.

c627627

c(π*199780) Senior Member
Joined
Feb 18, 2002
I suspect that the cause of some embedded images not showing up in Google Chrome, but showing up in other browsers is that Google Chrome said they will gradually block all 'mixed content downloads'
https://blog.chromium.org/2020/02/protecting-users-from-insecure.html

So I tested this to find out that Chrome versions before Chrome 83 will display embedded images (hosted on servers I am using) - but all versions 83 and later will not.


Is the host server setting to blame for this, and if so what setting should be changed on the host server?

Testing on ocforums with an example:
StarSwans.gif


Yup, the above example does not show up in latest Chrome on my PC. But does show up in Firefox, etc.
 
Last edited:

c627627

c(π*199780) Senior Member
Joined
Feb 18, 2002
So it appears that now you have to buy an SSL Certificate to hotlink using htpps otherwise modern browsers will not display your picture?
If you only want to do this for a few images then where is the best place to get an inexpensive SSL certificate?
 

c627627

c(π*199780) Senior Member
Joined
Feb 18, 2002
Thank you, yes, I just got a host server tech support reply.

So first of all, you must have an SSL certificate nowadays, your images either do not display or visitors are spooked with scary messages about the dangerous page they are on because you don't have an SSL certificate. Second these go into hundreds of dollars and then some web pages offer them for a few dollars, making you think about what the difference is between $5 and $25 and $495, depending on where your search for SSL lands you.

I did my research and opted for a reputable free host ATSPACE
So here's one thing people find out the hard way:
These are actually 100% free for hosting your own web site - but you cannot HOTLINK for free.
Free hotlinking is not guaranteed, so do your search for HOTLINKING whoever is reading this. Hotlinking is when you insert your image from your server, your domain, on another web site, not your own domain, in other words.

I opted for ATSPACE intro offer of 90 cents a year to be able to hotlink, then turned off auto-renew which in a year would be much more.

Then I was really puzzled why I couldn't get answers on why my hotlinked images are only showing on older Chrome browsers or non-Chrome browsers.

Then I found out you MUST have an SSL certificate for your images to show up in Google Chrome.


Then FINALLY,
ATSPACE told me just now:



We are happy to say that our Control Panel now supports the automated installation of free SSL certificates provided by Let's Encrypt.

Before you begin this process, please make sure that your domain name is fully hosted on our platform. In other words, your domain name must be configured to use our NS (nameserver) records. If you are not sure whether your domain name is using our nameserver records, let us know and we will verify this for you.

Once you are certain that your domain name is fully hosted with us, please follow the steps below:

1. Go to the SSL Manager section of our Control Panel.
2. Click on the domain name that you would like to secure. Note: it is highly recommended that you choose the "non-www" version of your domain name.
3. Open the Upload Your Certificate tab.
4. Scroll past the three SSL input fields and press the Create Free Certificate button.
5. After the page finishes loading, your certificate should be installed! Please allow an hour or so for the Let's Encrypt SSL to come into effect.

Lastly, now that your SSL certificate is installed, you may wish to force a secure HTTPS connection, even if your visitors do not ask for one. This is done differently depending on the web software that you are using. Our recommendation is to do some research and see how you can force HTTPS connections on your CMS. If you require assistance is setting up your CMS to use the Let's Encrypt certificate, please let us know.





SO MAKE SURE your "Free" Hosting offers a free SSL certificate!!
 
Last edited:

Automata

Destroyer of Empires and Use
Joined
May 15, 2006
So it appears that now you have to buy an SSL Certificate to hotlink using htpps otherwise modern browsers will not display your picture?
If you only want to do this for a few images then where is the best place to get an inexpensive SSL certificate?

Second these go into hundreds of dollars and then some web pages offer them for a few dollars, making you think about what the difference is between $5 and $25 and $495, depending on where your search for SSL lands you.
Let's Encrypt is a well known and trusted non-profit that provides SSL certificates for free. They even have scripts to automatically refresh when they are about to expire.

I use Let's Encrypt certs on my website. It costs me nothing, and I don't have to worry about renewing them.
 

c627627

c(π*199780) Senior Member
Joined
Feb 18, 2002
thideras, can SSL certificates be applied with your registrar where you registered your domain name so that you can host that domain name anywhere... or is this strictly a host server thing where every host server has to have your SSL applied...

Related question, if I get this free SSL though ATSPACE, can I take it with me to another free host server?

Or is that only possible if you yourself pay for the SSL and then you can move it to different servers?
 

Automata

Destroyer of Empires and Use
Joined
May 15, 2006
The SSL cert can be from anywhere. It has nothing to do with your DNS registrar (although, some registrars will sell certs). Whether or not the cert is portable depends on the issuer. As long as they don't revoke the certificate and you have a copy of it, you can move to a different host. If I switched my personal website from Amazon Lightsail to another service, I can move my Let's Encrypt cert.

Certificates are (generally) issued to domains or subdomains, such as "overclockers.com". Any server -- which can be multiple when you have load balancing -- claiming to be "overclockers.com" has to present a valid certificate for the domain, which your browser validates.

For private use, there is no need to pay for a cert when Let's Encrypt exists.
 

c627627

c(π*199780) Senior Member
Joined
Feb 18, 2002
Interestingly, the image form post#1 of this thread now appears in latest Chrome.

I did not change the link from http to https - all I did was install the SSL certificate on the free host server.

Therefore in 2020, you *must* install an SSL Certificate where your files are hosted or else they will not show up in all browsers.
 

Automata

Destroyer of Empires and Use
Joined
May 15, 2006
Interestingly, the image form post#1 of this thread now appears in latest Chrome.

I did not change the link from http to https - all I did was install the SSL certificate on the free host server.

Therefore in 2020, you *must* install an SSL Certificate where your files are hosted or else they will not show up in all browsers.
According to this article, Chrome will block requests over http (if the connection can't be upgraded) on a https page starting with version 84. Sounds like they released it in an earlier version.

Mixing secure and insecure requests on the same page is called "mixed content". Websites can use a Content Security Policy (CSP) to specify how content should be loaded. For example, a website can request the browser upgrade any http requests to https if available ("upgrade insecure requests"), or block them entirely ("block all mixed content"). The browser also has its own settings, which you can specify. Addons/extensions can also modify the behavior. For example, I use HTTPS Everywhere to force https connections where possible.

Your image in the first post is being upgraded by Chrome to https automatically, which is why you didn't have to change the link after installing your cert. You can see this in the developer window. I usually browse OCF from Firefox, and the image was working for me, even before you installed the cert. Before you installed the cert, Chrome tried to upgrade the connection to https, it failed, so it refused to load the image.

Chrome 86:
chrome.png

Firefox 81:
firefox.png
 

c627627

c(π*199780) Senior Member
Joined
Feb 18, 2002
Yes, I posted that on various forums over the past few months, from my notes:

Chrome 80 is the last version to support FTP.
Customers can re-enable FTP support in Chrome 81 using the --enable-ftp command line flag or by enabling the FtpProtocol feature via the --enable-features=FtpProtocol flag. (For the latter, type chrome://flags in the address bar, press Enter or Return, then search for "Enable support for FTP URLs" and change the option at the right to "Enabled.")

Chrome 82 will warn users when downloading certain file types from HTTP instead of HTTPS. EDIT: Chrome 82 was skipped and never officially released due to COVID-19 Pandemic.

Chrome 83 will block downloading .exe files, .apk files, etc.
Chrome 84 will block downloading .zip files, .iso files, etc.
Chrome 85 will block downloading .pdf files, .docx files, etc.
Chrome 86 will block downloading .png files, .mp3 files, etc.
[By Chrome 86, the browser will be blocking all mixed-content downloads - coming from HTTP instead of HTTPS.]



I horded all the installation files of these versions, and .apk files for Android, in anticipation of this, since Google does not let you have old versions of Chrome.
.apk file archives however will not install on my Galaxy S8, like they used to -- they are just going out of their way to prevent people from installing old versions.
Other .apk files can be installed but Google Chrome apks cannot.



So.... what constitutes backing up your SSL certificate.
Are these only valid for one year?
Say I want to take the one I have now from this host server provider, how do I take the SSL to another host provider, in theory?
 

Automata

Destroyer of Empires and Use
Joined
May 15, 2006
So.... what constitutes backing up your SSL certificate.
Say I want to take the one I have now from this host server provider, how do I take the SSL to another host provider, in theory?
There is a certificate file, and there are different formats. Moving it to another server depends on how it is stored, and what operating system it is. For example, in Windows, when you install a certificate (unless you manually specify during installation of the cert, which you should not do), you cannot export it. However, if you have the original file, you can install it on any computer you want.

Are these only valid for one year?
Certificates are valid until their expiration date, which is arbitrarily set by the certificate authority who created them. Let's Encrypt certs expire after 90 days, but it auto renews. I'd guess most certificate authorities do them in years for convenience, yes.
 

c627627

c(π*199780) Senior Member
Joined
Feb 18, 2002
I see. So since the certificate was "provided by" the hosting company (being the intermediary) between "Let's Encrypt" and end user, I assume that this effectively means this is non-nontransferable, especially since no files were used, just a single click on the Control Panel of the hosting company's site.

Thank you kindly again.
 

Automata

Destroyer of Empires and Use
Joined
May 15, 2006
Yes, if they installed it for you, you probably won't be able to easily transfer it. However, Let's Encrypt is free, so I don't see why it is a concern.