#3609 Chrome warns insecure content when running with HTTPS

[Anonymous]

Hello,

I have enabled HTTPS for my phpMyAdmin apache httpd.
When accessing my phpMyAdmin using Chrome (v20) I see "The page has insecure content" warning.

It seems that this warning is caused by the inclusion of "http://www.phpmyadmin.net/home_page/version.js" in functions.js file.

[Justin Beasley]

(I posted a comment on another bug that was marked as invalid, so I'm not sure if anyone will see if or not and this might be a more appropriate ticket.)

The Chrome issue is particularly painful since it shows an SSL issue for the entire site if you tell it to allow the content (even after you've navigated from the main page). If you just do nothing with the dialog, at least you don't get the red security error while managing your database, but that's completely unintuitive to the user (many of whom don't understand how SSL works).

I think that this version check should be done over SSL (HTTPS), since so many PMA installs use the ForceSSL option. Because SSL content on a non-SSL page is allowable without error (but the inverse isn't true), it seems that it would make sense to just point that update check to a secure URL and all of this will be resolved.

With SSL certs being so cheap, it doesn't seem like that should be a big hold-up for this project (if there isn't already a secure domain that could be used). I'm sure somebody would even donate one--even just to lose this nag message and have users asking why the connection isn't secure.

[Marc Delisle]

Should be fixed since phpMyAdmin 3.5.3.