SSL validation fails with insecure content because of http://www.phpmyadmin.net/home_page/version.js
Can we get an option to disable this checking please, or some other workaround thanks
I understand that you answered noelb's question, but is there a reason that this check can't happen over SSL so that it works for everyone without throwing mixed mode warnings?
Loading it over SSL wouldn't generate an error on non-secure installs, but would fix the error on secure installs.
I think that automated upgrade checking is important from a security standpoint, so instructing people to just turn it off seems like throwing the baby out with the bathwater.
Note: I found an open bug related to this (#3534139) and left a comment there since it's probably more appropriate since this is really a duplicate.
Thanks Marc. I was thinking about this last night, and came up with an idea for resolving this if the PMA site doesn't have an SSL certificate and if it would be problematic to get one set up for whatever reason.
A PHP script could be added to the local PMA install, and that file could act as a proxy of the non-secure update check script. That way, if the local install is secure, that file can be loaded securely--but the infrastructure on the phpmyadmin.net side of things wouldn't need to change. If ForceSSL isn't being used, the file would just be proxied locally. This would also allow an easy future way of implimenting some type of caching (only checking once every 24 hours, for example) to reduce the number of requests to the PMA server.
In order to avoid any dependancies (namely cURL or allow_url_fopen), this would probably need to proxy the file using a pure fsockopen() call--but it might be a viable option if you don't want to have to (or can't) deal with the SSL side of things.
Fixed in 3.5.3.