|https not always green in Chrome|
Even if the page is secure
I have noticed in Chrome with https pages that even though everything is secure (my order form pages for example), the https will appear red with a line through it. This will happen on a page that shows green then, say on refresh or re-visit, will not though nothing has changed. I tried it once with a blank page and it did the same thing.
Is it just me or is does this happen to you?
Marshall, this is kismet - I'm coming here to explore this very same issue, with a few more details, and a twist.
Visualize two pages, and given that the secure page often uses the same resources over https as http - a header image, for example. Let's call the may-or-may-not-be-all-secure page /about, and the secure page /purchase.
Browse to https.... /purchase, everything is fine, green light on secure items. Use a link or even make a direct request back to /about, and you get a mixed content error. On this page is a link back to /purchase, but you don't even have to do that - change the URL to /purchase in the address bar.
The previously secure page now displays insecure items (and Chrome doesn't make it easy to tell you what they are). WTH?
Basically it caches the insecure items from the previous page state, but only in the context of that tab (as I understand it, anyway . . . )
I've done some searching and this is due to caching, there are many proposed fixes (clear history, open a new tab, whatever) but the really BIG problem with this is the average user won't have a clue how to do any of this or know what it means. Insecure = bad, close and shop elsewhere.
Has anyone solved this to any reliable degree? With Chrome gaining market share, it's become the "new I.E." in terms of the thorn in a developers bum . . . .
Short of putting in page cache tags, or as I would do in .asp:
<% Response.CacheControl = "no-cache" %>
<% Response.AddHeader "Pragma", "no-cache" %>
<% Response.Expires = -1 %>
I don't have a quick solution. And while I did not give what you said about caching any thought before, the pages I do have the above tags in always show secure. That being said, you may be onto something. And I do agree, I do not like the fact Chrome does not say why the page is not secure. At least IE asks if you want to display the non-secure items.
Ah, bits I left out. This is recently moved to a nginx server (from linux) with no-cache headers and cachebuster code added to all resources (you know, like img.jpg?u=123345 that changes for each user.) There is literally no cachebusting efforts we can do server side to get around it, we've tried. It's all on Chrome.