Symantec Access Management

 View Only
  • 1.  Custom FCC file calling external CSS file

    Posted Apr 17, 2018 02:34 PM

    One of our applications is attempting to make a custom FCC page (which works fine) and has an external CSS file within the same directory but when attempting to load the FCC page they are seeing a mixed content error. "The Page 'XYZ FCC' was loaded over HTTPS but requested an insecure stylesheet 'XYZ CSS'. This request has been blocked; the content must be served over HTTPS."

    I have checked the ACO to allow for css over http and found no settings and am unsure why the IIS server is not calling the CSS at the HTTPS level as well when they live in the same directory.

     

    I directed the application owner to try setting the link reference to the below but it returned the same results.

    <link rel="stylesheet" href="//www.XYZWebsite.com/siteminderagent/secureforms/GGR.css">

     

    Has anyone had a  similar or the same issue?

    #fcc #css #htmlcode  #casinglesignon12.7



  • 2.  Re: Custom FCC file calling external CSS file
    Best Answer

    Posted Apr 17, 2018 04:01 PM

    You don't want to allow non-secure CSS over an HTTPS site, so it's good it's being blocked .

     

    I've not run into that problem on multiple FCCs that use CSS links like this:  <link href="/css/custom.css" rel="stylesheet" type="text/css" /> 

     

    That's on IIS with  Win 2008 R2, Win 2012 R2 or Win 2016.

     

    If it's an explicit external resource just make sure it's "https://somehost/css/custom.css" and not http://.



  • 3.  Re: Custom FCC file calling external CSS file

    Posted Apr 17, 2018 07:43 PM

    No argument with the unsecured page being blocked but more so how can it be called at the https level or what would prevent it from being called at that level when it lives in the same directory as the fcc file. It has also come to light that the fcc page being used had a style section within the header that might be conflicting with an external style sheet but that shouldn't cause a page to be read as HTTP rather than https.