On secure (HTTPS) sites, javascript code from an unsecure source is blocked in chrome by default.
Twitter also delivers the js files over a https connection. Therefore the lines that request js files from Twitter should have something like the following code:

$connection = ($_SERVER['HTTPS'] == 'on') ? 'https' : 'http';
$script_url = url($connection.'://platform.twitter.com/widgets.js', array('external' => TRUE, 'https' => TRUE));
CommentFileSizeAuthor
#3 tweetbutton-unsecure-javascript-blocked-1971970-2.patch1.91 KBoetseli
#1 tweetbutton-unsecure-javascript-blocked-1971970-1.patch2.01 KBoetseli
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

oetseli’s picture

oetseli CreditAttribution: oetseli commented
Issue summary: View changes
Status: Active » Needs review
FileSize
tweetbutton-unsecure-javascript-blocked-1971970-1.patch2.01 KB

I'm proposing a patch that I needed on a client project. Using the url()-function's http option is not reliable as Drupal's own https documentation is suggesting that you can leave $conf['https'] to FALSE on https-only sites. url() then checks for that variable if you've set the url's http option to true AND url() will only replace http with https if both are TRUE! This means that there's either a design problem with $conf['https'] or url().

Either way, my solution is to check if https:// strpos is 0 in the $base_url. I feel that this is more secure than checking some enviroment variable. The global $is_https didn't help either for some reason (maybe it's just an easy way of checking if $conf['https'] is TRUE?).

oetseli’s picture

oetseli CreditAttribution: oetseli commented

This is another solution that simply uses protocol-relative URL schema. I'd go with this as it's way simpler and browser support is not an issue anymore.

That is:
url('//platform.twitter.com/widgets.js', array('external' => TRUE));

oetseli’s picture

oetseli CreditAttribution: oetseli commented
FileSize
tweetbutton-unsecure-javascript-blocked-1971970-2.patch1.91 KB
rcls’s picture

rcls CreditAttribution: rcls commented

I can confirm this solution works. I don't think it will be implemented however as the module has been without an update for almost 3 years now.

davemybes’s picture

davemybes CreditAttribution: davemybes commented
Status: Needs review » Reviewed & tested by the community

Confirmed the patch in #3 works. Hopefully the new maintainers will implement this :)

  • timmillwood committed 2728a78 on 7.x-2.x authored by oetseli 
    Issue #1971970 by oetseli: unsecure Javascript is blocked in chrome on...
timmillwood’s picture

timmillwood
Primary language English
Location 🏴󠁧󠁢󠁷󠁬󠁳󠁿 Wales, UK
CreditAttribution: timmillwood at Appnovation for Pfizer, Inc. commented
Status: Reviewed & tested by the community » Fixed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.