Roll20 uses cookies to improve your experience on our site. Cookies enable you to enjoy certain features, social sharing functionality, and tailor message and display ads to your interests on our site and others. They also help us understand how our site is being used. By continuing to use our site, you consent to our use of cookies. Update your cookie preferences .
×
Create a free account

Bad HTTP requests with HTTPS (Chrome "Mixed Content" and "Refused to execute" warnings and errors)

Chrome folks are insistent (and I agree) on the discouraged ability to load insecure content origins from securely loaded pages. For a while, it only affected two of us as we are the only people running the canary channel. Now it appears to be affecting our entire game team. There are multiple reports in the console log about refusing to execute inline javascript. Additionally, pictures are taking a long time to load (thumb.png and more) for both art icons, and icons on the map. Per the console log, it looks like the reason the initial load failed is mixed content. Our game tonight was filled with small delays experienced by all of us, who are in multiple locations around the US. My players reported delays on dice rolls (the audio happened several seconds before the images of rolling dice appeared) and image loads. I also experienced them. My players were also complaining of the inability to get journals to show up. I had mine all up already before the game and I'd loaded them after clicking and stepping away for a bit so I didn't see any delay. I wasn't willing to close and test reloading during the game session. I've wandered through the forum posts and seen reports including messages like this spanning multiple years. I'd like to kindly ask Roll20 to please convert all requests to pure HTTPS and fix any CORS/CSP violations. Eventually, the warnings in canary will turn to errors and insecure content won't be permitted at all. We no longer have a shield to permit insecure loading of content and advanced users will likely lose the ability to toggle flags to permit this as well. Mozilla tends to take a strong security position as well and I expect them to follow suit if they aren't ahead of Chrome already.
1495472615
Lithl
Pro
Sheet Author
API Scripter
Many assets (secure or not) are already being piped through a Roll20-controlled secure proxy. We just need the rest of them to be piped through, too.
We've got a long term plan in place to move completely to HTTPS and it's in the works currently.