Browser warning when loading http pages in BlueConic

First and foremost, we recommend using BlueConic in Chrome or Firefox for embedding purposes. Please read on for loading assistance!

Browser warning 

When you open a website within BlueConic (e.g. in the dialogues editor) you can trigger a security warning. In most cases BlueConic will detect this and instruct you to allow the viewing of mixed content. 

In Chrome and Firefox look for a shield in your browser's address bar and click "load script." For more detailed instructions on various browsers, please see "How do I allow my browser to accept mixed content" below.

 

 

When does this warning occur?

The warning in BlueConic will occur when you try to open a website that does not support secure mode (https) and is only available in http-mode.

In some exceptional cases BlueConic will not be able to detect this, and only your browser will show the mixed content warning, for example when the main URL is available in https, but not all elements on the page (e.g. stylesheets) are available in https. Typically these sites would also trigger a warning when you try to access them via https in a separate tab or window.

 

Why does this warning occur?

BlueConic runs in secure mode (https) by default. As BlueConic potentially can deal with sensitive data (for example from your web-site visitors) the BlueConic server can only be reached via a secure connection, to make sure that all traffic to and from the server is encrypted and secured.

At the moment you try to open a non-secure (http) element within this https environment, your browser considers this as a potential security risk, and will not automatically open these http elements, unless you explicitly allow your browser to do so.

To prevent this message from occurring, BlueConic will first try to access the site via https, but if this is not available, or not all elements on your site are available through https, you will get this warning.

  

How do I allow my browser to accept mixed content?

Depending on the type of browser you are using, you need to take the below steps. If you frequently need to work on sites that are not available in https, please use BlueConic in Chrome or Firefox.

CHROME

Chrome will show a shield in the right hand side of your address bar:

Clicking on the shield will open a tooltip with a button "load unsafe script". Press this button.

You can now see in the address bar that you are viewing the site in mixed mode, as you will see a red-strikethrough at the beginning of your address:

FIREFOX

In Firefox you will see the shield at the left-hand side of your address bar. Click on this shield:

Next, click on the dropdown arrow next to "keep blocking" and select "Disable Protection on This Page"

You can now see in the address bar that your are viewing the site in mixed mode, as you will see an orange warning sign in front of the address:

INTERNET EXPLORER

In Internet Explorer you will see a warning popping up at the bottom of the page. Click the button "show all content".

Unfortunately, IE does not remember this setting, which means that the warning is displayed at every page refresh. If you do not want this, the only option is to allow this for all sites in your browser in the settings of Internet Explorer.

We therefore recommend to use Chrome or Firefox if you frequently need to work on sites that are not available in https.

SAFARI

Unfortunately, Safari does not allow embedding, so please Chrome or Firefox. You will see a message like below with loading instructions. If you do not see "Show all content" in your Safari browser please resort to Chrome or Firefox.

Screen_Shot_2017-05-25_at_9.32.46_AM.png

 

What risk do I take, when I allow my browser to continue?

The actual risk is not any different than when you would open this site in a separate tab or in a separate browser outside BlueConic. In those cases you would not get any warnings at all. So there is absolutely no extra security risk when you proceed to load the http-site.
BlueConic only interacts on the page locally via the BlueConic script. Everything that is on the pages that you load can not make any connection back to BlueConic. This means that there is no risk that BlueConic data could be accessed by insecure elements on external websites that you are viewing in the inline editor, the visual picker or the journey editor.

 

Do I need to allow this every time?

Unfortunately the setting is only remembered for the duration of the browser session. There are possibilities to always overrule this via the settings of the browser. The latter however is not recommended, as in some cases, for example when you are making financial transactions via a secure website, this warning is meaningful, and in those cases you do not want to allow mixed content.

 

I permanently want to get rid of this message. Is this possible?

There are two ways to not have to make these browser settings every session.

1. Permanently allow your browser to always accept mixed content. This is not recommended if you use this same browser to access or process secure data (such as financial transactions) on other sites.

2. File a request at "support@blueconic.com" to allow your BlueConic tenant to (partly) run in http-mode. At the request of the customer we can configure individual tenants to run the back-end of BlueConic in http-mode. Although the traffic to and from BlueConic is still secure, this mode potentially introduces a (small) security risk. In theory malicious person could hijack the http site and via this site potentially access content on your sites (man-in-the-middle attack). Therefore we will only do this on explicit customer request, and only if the customer takes full responsibility in the event of any security issue that might occur because of this setting.