Insecure warnings using SSL with Google fonts [#1670748]

Good Morning,
I have just tried installing an SSL Certificate on a site which told me that there were unsecure items on the page. I have traced this to the Google Fonts import. Upon changing this in the style.css file my site is now secure. Maybe this should be changed in the source.

I then tried my website on the http connection and everything works correctly - so they can be entered as https:// in the css.

Bryn

Comment	File	Size	Author
#9	insecure-warnings-google-fonts-ssl-1670748-7104150-2.patch	1.21 KB	Danny Englander
#8	insecure-warnings-google-fonts-ssl-1670748-7104150.patch	1.12 KB	Danny Englander

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

devsaran CreditAttribution: devsaran commented 4 July 2012 at 09:48

Status:

Active

» Closed (fixed)

For SSL,

You need to do code changes in style.css.. Change from

@import url(http://fonts.googleapis.com/css?family=Open+Sans:400,700,800,300);
@import url(http://fonts.googleapis.com/css?family=Bitter:400,700);

@import url(https://fonts.googleapis.com/css?family=Open+Sans:400,700,800,300);
@import url(https://fonts.googleapis.com/css?family=Bitter:400,700);

Comment #2

Homotechsual CreditAttribution: Homotechsual commented 17 September 2012 at 18:43

You can also download the font packages from Google Web Fonts and host these locally to reduce cross-site requests.

Comment #3

alibama CreditAttribution: alibama commented 28 January 2013 at 22:49

confirmed that #1 works fine - any reason not to commit this or is there a better solution all together?
Thanks
ap

Comment #4

Homotechsual CreditAttribution: Homotechsual commented 22 February 2013 at 00:44

The reason not to commit this is that not everyone wants SSL webfonts. This needs to become a theme option if it's committed with a simple on/off switch.

Failing that - bundle the google webfonts used into the theme. This is permitted as most google webfonts are GPL licensed afaik.

Comment #5

Danny Englander

(he/him)

CreditAttribution: Danny Englander commented 23 February 2013 at 14:40

Actually the proper way to do this so it will work with secure and non secure sites is to take off the http(s) entirely. It's best done as a template preprocess function. For example:

function YOURTHEME_preprocess_html(&$variables) {
  drupal_add_css('//fonts.googleapis.com/css?family=Open+Sans:400,700,800,300',array('type' => 'external'));
}

I'm not sure if this will work as @import though. I solved a recent issue for my theme this way:

#1921294: Google Fonts cause unsecure warnings when using SSL

Comment #6

Homotechsual CreditAttribution: Homotechsual commented 24 February 2013 at 21:26

highrockmedia That's great advice!

Comment #7

Danny Englander

(he/him)

CreditAttribution: Danny Englander commented 24 February 2013 at 21:32

Status:

Closed (fixed)

» Needs work

Going to open this back up to supply a proper patch when I have some time.

Comment #8

Danny Englander

(he/him)

CreditAttribution: Danny Englander commented 1 March 2013 at 17:53

Title:	SSL Security & Fonts	» Insecure warnings using SSL with Google fonts
Version:	7.x-1.2	» 7.x-1.6
Status:	Needs work	» Needs review

File	Size
insecure-warnings-google-fonts-ssl-1670748-7104150.patch	1.12 KB

Here is a patch for this. If we could get someone to test this with SSL, it would be great. I tested and did not have any issues but I did not have an SSL environment to test with. However, it should be fine otherwise.

Also to saran.quardz, the maintainer of this theme, when you commit this patch, please be sure to give proper attribution as such:
--author="highrockmedia <highrockmedia@406120.no-reply.drupal.org>"

You need to pass this option to git commit

If you have questions about this, see: Adding a commit author

Thank you.