Best practice forum (Archived)

Internet Explorer issues mixed content warnings from Yahoo libraries

Is there a Certification status report?
Is there a quick way to put 5000 employee into the hierachy leveled system? The trainees are under the group/department they belongs to?

Hi,

I would like to run a Totara 2.4.x site completely through HTTPS and deliver SCORM modules from this. The modules shall be opened in a standard popup window and contain scripts to allow finalising communication and closing the popup by pressing a button inside the module. Unfortunately the Internet Explorer >=9 issues irritating mixed content warnings in that process and the debugger is pointing to Yahoo libraries as the reason - see attached screenshot. I've thought that the included copies of the Yahoo libraries should not make it necessary to issue unencrypted requests to online versions which do not seem to be available through HTTPS completely?
Is this a bug in Moodle? Is it known and if, what can be done to avoid this?

Rainer

Permalink | Reply

Hi Rainer,

First could you check that your CFG->wwwroot variable in config.php is set to use https?

Does this issue look like the same as your problem?

https://tracker.moodle.org/browse/MDL-42679

It was fixed in Moodle 2.6 but we might be able to backport it, if it actually resolves your issue

Permalink | Show parent | Reply

+1 vote for backporting to 2.4 if at all possible.

Thanks

Permalink | Show parent | Reply

Hi Ciaran,

thank you for the quick response!

Yes, I've set the wwwroot to https throughout.

MDL-42679 seems to be related to a problem in the same area: SCORM player through https using YUI elements. However, the files involved there are different and in my case it is not, that parts of the player itself visibly do not work. I have tested different configurations for the popup, with the tree menu at the side disable, closed from the beginning etc. It is always the same and the warnings by the IE will surely cause requests by users ... The debugger is pointing to this in my case: /theme/yui_combo.php?3.7.3/build/simpleyui/simpleyui-min.js&3.7.3/build/loader/loader-min.js - simpleyui-min.js is the file obviously putting the http url into the response.

I will try to test a SCORM module with Moodle 2.6. It is that 2.6 contains even newer YUI libs and SCORM player than the latest Totara 2.5.7 has now? I've done a test with a 2.5.x code some days ago with no success regarding this.

Rainer

Permalink | Show parent | Reply

Yeah there's always a risk that something fixed in a higher version of Moodle will be just so different from earlier versions that backporting it becomes almost impossible.

I'm guessing that the underlying cause is similar to the MDL issue though - the yui_combo script is trying to load simpleyui-min.js which either doesn't exist so the YI library is calling home to get it over http; or there is a hardcoded call to load it locally over http.

I'll do a bit more research and see what I can uncover, and if it can be fixed in 2.4/2.5.

Permalink | Show parent | Reply

This is proving quite tricky...

simpleyui-min.js should be available locally so there's no good reason why the yui_combo should be trying to obtain them from yahoo.

There may be a workaround consisting of

Disable the "Use online YUI libraries" useexternalyui config setting in Site Administration -> Appearance -> AJAX and Javasciprt

Ensure CFG->httpswwwroot is set in config.php - same value as the https version of $CFG->wwwroot

In theory this should ensure the comboBase variable is properly set to the https version, and the local version will be used, so the http calls should never happen.

Let me know how that works.

Permalink | Show parent | Reply

Hi Ciaran,

Although I had attempted to set the httpswwwroot explicitely to the same https URL before, I gave it another try - carefully checked, but not succesful as well.

The use of online YUI libraries has been switched off all the time, but still I can observe the described behaviour on Totara, not only with a custom theme, but also with the default Totara theme. With Moodle 2.6 it is different: The same SCORM module, set up the same way to run in an extra window, works fine! The Module can finalise communication and close the extra window with JavaScript, when a user triggers the related functions by clicking an exit button in the SCORM module.
Unfortunately the YUI integration and SCORM player really do look quite different in that late Moodle, than in Totara 2.4 ... hope there will be an upgrade path soon.

ThanksRainer

Permalink | Show parent | Reply

SCORM has been completely overhauled in 2.6 so when Totara 2.6 is released (around April) hopefully it will resolve a lot of outstanding SCORM issues. Those fixes will probably never make it back to being backported to 2.4 and 2.5 though because the changes to mod/scorm in 2.6 are so extensive.

The simpleyui-min.js seems to be loaded on most pages as part of the page header setup in lib/outputrequirementslib.php but if that was the cause you would be seeing the mixed content warnings on every page in the site. Is it only in the SCORM modules you are seeing it?

If that is the case then you could try setting the comboBase in the SCORM js files. This is a suggested fix from one of the partners so if you could test this - if it works we'll get it added to Totara Core. In mod/scorm/datamodels

aicc.js.php line 242

scorm_12.js.php lines 234 and 433

scorm_13.js.php line 363

change

Y.use('yui2-connection', function(Y) {

YUI({comboBase: '<?php echo "{$CFG->wwwroot}/theme/yui_combo.php" ?>'}).use('yui2-connection', function(Y) {

With the config wwwroot set to the https version.

Permalink | Show parent | Reply

Hi Ciaran,

the suggestion to change the YUI-related lines in the SCORM launcher really helps! I haven't checked in detail yet, but the positive impact I can reproduce on two instances with different modules and themes - no mixed content warnings from late IEs (9-11) with default security settings any more.

Thanks a lot

Rainer

Permalink | Show parent | Reply