Loading Google font in HTTPS, content being blocked
Solution 1
Edit your theme replacing every occurence of http://fonts.googleapis.com/...
with https://fonts.googleapis.com/...
(mind the s).
Resources that might pose a security risk (such as scripts and fonts) must be loaded through a secure connection when requested in the context of a secured page for an obvious reason: they could have been manipulated along the way.
Solution 2
Just use a //
prefix. (instead of http[s]://
)
- On an https page, the secure version wil be loaded.
- On on a plain http page, the plain http version will be loaded.
Edit your theme replacing every occurence of http://fonts.googleapis.com/...
with //fonts.googleapis.com/...
Solution 3
let the browser handle all the things just remove 'http' from your reference.
likewise you have to do for other libraries also if you are facing same problem with them e.g.
https://fonts.googleapis.com/css?family=Open+Sans:700,600,800,400
to
//fonts.googleapis.com/css?family=Open+Sans:700,600,800,400
same for
http://maxcdn.bootstrapcdn.com/font-awesome/4.2.0/css/font-awesome.min.css
to
//maxcdn.bootstrapcdn.com/font-awesome/4.2.0/css/font-awesome.min.css
Solution 4
I faced this problem when you are using google cdn links and which are not accessible (such as country like china), try to use local files in place of cdns
Comments
-
vico almost 4 years
There is a wordpress theme that automatically pulls the option font picked and requests it from google font. when ssl was needed for a few selected pages the font became
missing
Viewing the console log:
[blocked] The page at 'https://www.example.com/' was loaded over HTTPS, but ran insecure content from 'http://fonts.googleapis.com/css?family=Alegreya+Sans:300,400,500,700,800': this content should also be loaded over HTTPS.
would going into the code and make all requests in https from google font work? Is there some workaround to this?
found the source code... but seems like it is already doing this... could there be a error in the if logic?
$prefix = "http"; if(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') $prefix = "https"; if($get_google_font){ if(!in_array($rule_split[0], $this->used_fonts)) { $this->extra_output .= "\n<!-- google webfont font replacement -->\n"; $this->extra_output .= '<link id="google_webfont_'.$this->webfont_count.'" rel="stylesheet" type="text/css" href="'.$prefix.'s://fonts.googleapis.com/css?family='.str_replace(' ','+',$rule_split[0]).$font_weight.'" />'; }
-
Stefano Sanfilippo almost 10 yearsYes, the contrary (loading resources via TLS/SSL in a non-secured page) is possible.
-
vico almost 10 yearsOk Just needed to confirm, I will go into the code then. thanks~
-
vico almost 10 yearsany idea on the code I posted? seems to already doing that, but the if statement seems to be false even on https
-
Stefano Sanfilippo almost 10 yearsYou left a spurious
s://
in the<link ...
line. Anyway, you don't need that, just use protocol relative URIs and you are done. -
bayological over 9 yearsYou could just just remove the protocol altogether, so use "//fonts.googleapis.com/..."
-
Stefano Sanfilippo almost 7 yearsThree years later, the situation has changed. Protocol-relative URIs are discouraged nowadays, given that secure connections are easier to set up and very cheap if not almost free for many common uses. If you can serve via
https
, then by all means, do it. -
Alex Pandrea over 6 years@StefanoSanfilippo maybe it would be worth to keep in mind that this might interfere with fallback to
http
mechanisms, in particular cases -
Imran Bughio about 5 yearsI am wondering if there is a way to use both... i.e a script that uses google link but if its not working then rely on local files for the same font.