All too often with computer programs and websites, an improvement or bug fix in one place can lead to entirely new issues somewhere else.
It’s even worse when the problem isn’t contained to one product – when one program makes changes that precipitate issues in an entirely different application managed by a different company, it generally causes a lot of headaches.
That’s the exact situation we are is currently dealing with. Firefox and Google Chrome both released updates earlier this year that included mixed content blocking by default, which left some ManageWP users unable to open their sites’ admin areas in ManageWP.
In this post I will briefly explain the background of the issue and offer a solution. If you’d rather get straight to the solution, just scroll down a bit further.
Why Is This Happening?
Many sites on the web use HTTP, the Hypertext Transfer Protocol. It is a communication standard that functions as the basis of most information exchanges between computers. Unfortunately, the protocol has vulnerabilities – it is a relatively easy target for eavesdropping and man-in-the-middle attacks.
As a result, a lot of webpages and applications (including ManageWP!) use HTTPS, a more secure layering of the protocol.
The issue facing the developers of web browsers is that some pages employ a mix of HTTP and HTTPS, and the former parts of the page are still open to attacks. These partially encrypted pages thus contain what we call “mixed content.”
For security reasons, Firefox and Chrome now block mixed content by default. The reason that you can’t open your ManageWP admin area in an inline frame anymore is that it includes mixed content.
The problem results from (admittedly positive) security changes by the web browsers, not anything directly related to ManageWP itself.
What Can You Do to Fix It?
The reason I wanted to delve into the background of the problem a little bit is so that those of you who may have been a bit confused before can know what’s going on “under the hood.”
But regardless of the causes of the problem, the bigger question remains: how do you solve it? In a nutshell, you’ll need to fiddle with security settings. Let’s take a closer look at each browser separately.
When you attempt to access the admin area of your website via ManageWP, Firefox may or may not pop up with a message alerting you as to why. Either way, you can go to the shield icon on the navigation bar and open the drop-down menu there.
By choosing “disable protection on this page,” you won’t be making any big changes to how your browser operates – the switch will apply solely to that page, and it won’t even last forever.
That is all well and good if you don’t need to access the admin area via ManageWP very often. But if you want a long-term solution to the issue, there are other possibilities:
- Inside the Firefox address bar, type about:config
- Inside the search filter, type “mixed”
- security.mixed_content.block_active_content should be switched to false
Following those three steps will permanently stop Firefox from blocking mixed content, which means that you’ll no longer have to worry about the hassle of overriding the security settings.
However, there is a caveat here. Firefox does not offer the functionality to selectively pick and choose which sites to enable mixed content blocking on – it’s all or nothing. That means that changing these settings will turn off the shield for all websites running in Firefox.
Much like Firefox, Chrome allows you to temporarily disable mixed content blocking. At the far right of the address bar you will find a shield icon. Clicking on it will give you the option to disable mixed content blocking for the page you are currently on by choosing “load unsafe script.”
It’s an ephemeral fix, but again, it’s sufficient if you need to quickly access your admin area via iframe or you don’t care to hassle with long-term solutions.
For those who do want to permanently disable mixed content blocking, there is a way. First, go to your desktop or applications folder and right click on your Chrome icon. From there, you should choose Properties and then add the following command line flag to the end of your target:
You need to be sure that it comes after the quotations and is preceded by a space. Two hyphens are also a must.
I should note at this point that, like its Firefox equivalent, this option does have some potential security issues associated with it. In fact, both Google and the ManageWP support team recommend against adding the command line flag.
You should weigh up the options and make an informed choice of what the best fix is for you.
One Other Option
Browsers sure can be a pain. Long-term fixes have the potential to open up new security vulnerabilities in your web experience, while having to manually allow the iframe scripts to run each and every time can get quite irksome. While there are fixes, none are perfect.
One additional path to consider is the possibility of bypassing iframe altogether. You can easily set your sites to always open in a new tab rather than in iframe. How can you do this? Just head over to your ManageWP dashboard’s settings and look under “Open Sites Admin.”
By default, the option to “enable opening sites admin in iframe” will be checked. All you need to do is deselect it, and your iframe worries will no longer keep you up at night.
Technical changes often result in effects elsewhere that are unpredictable, or at least uncontrollable. Our support team has received a large number of inquiries and complaints from users who try to access their dashboard in an iframe in Firefox or Chrome.
Luckily, the iframe issues that confront result from relatively simple processes that we understand – so there are solutions.
The support team has even written up a clear, concise guide to the issue as a part of ManageWP’s Frequently Asked Questions. I hope that between my post and their hints, you can figure out the fix that works best for you.