YUI yql replacement of Google Feeds breaks HTTPS / SSL protected sites

[tdharris]

Regarding the recent merge of "Replace google feed module with Yahoo Query Language": #24

Would it be possible to use https:// references with the Yahoo API? The current implementation breaks any https:// protected sites as it will refuse to load mixed content:
angular-feeds.js:241Mixed Content: The page at '<...myPage...>' was loaded over HTTPS, but requested an insecure script 'http://yui.yahooapis.com/3.18.1/build/yui/yui-min.js'. This request has been blocked; the content must be served over HTTPS.

Unfortunately swapping references to https doesn't appear to do the trick either, as accessing https://yui.yahooapis.com/3.18.1/build/yui/yui-min.js in a browser reports a problem perhaps on Yahoo's end? I wonder if that's temporary..?

YAHOO!
Will be right back...

Thank you for your patience.
Our engineers are working quickly to resolve the issue.

[siddii]

@DMDc0de any thoughts?

[tdharris]

I think yui3 loads a lot of things on-demand as well it seems, and I'm thinking they don't even have a public ssl version to serve up the content actually, but I'm not positive yet.

[DMDc0de]

We could add a reference from a cdn, like https://cdnjs.com/libraries/yui, but as @tdharris said, sadly there is no httpsavailable directly from the yahooapis domain.
In the yui3 wiki they say about ssl:

Does Yahoo's CDN support SSL?
No. If you're using SSL, it is recommended, and honorable, that YUI is hosted and loaded from your own server. SSL implies the user is communicating strictly with your website, and your website only. When YUI is hosted under your own server, you must also implement your own combo handler.

https://github.com/yui/yui3/wiki/FAQ#does-yahoos-cdn-support-ssl

So as recommended we can add a bower dependency.

[DMDc0de]

@siddii if you agree I can add the bower dependency

[siddii]

@DMDc0de - Please go ahead and do it.

[SamMurray381]

Has this issue been resolved yet? Our site wont load feeds because of the mixed content warning.

[DMDc0de]

Should be resolved see merged pull reques

[SamMurray381]

Thanks for the quick reply @DMDc0de. I noticed the merge, however we are still getting mixed content warnings on our https site.

[DMDc0de]

Can we see your bower.json?

[SamMurray381]

This is the entry for angular-feeds in our bower.json file:

"angular-feeds": "^0.0.4"

Admittedly I am very new to bower so excuse me if it is a mistake on my part. I did not write the code in the project that I've picked up.

Thanks

[DMDc0de]

Since the merge is not been released you have ti specify the commit hash instead of the version inside your bower:

bower install --save angular-feeds#thecommithash

You can see the commit hash on the main page of the plugin here in github

[SamMurray381]

That did the trick. Thank you very much for your help!

[DMDc0de]

👍

[siddii]

Thanks @DMDc0de & @SamMurray381 !

[tdharris]

I updated to the latest commit hash: angular-feeds is ec15a18d2b871dd526919850eddf278ee3a95d99 and YUI is version 3.18.1.

Am I missing something? While the yahoo yui dependencies are now loaded fine locally, it is requesting from http://query.yahooapis.com/v1/public/yql?q=select and it seems that changing the yui code to use https doesn't work (which I probably shouldn't be doing anyways). Any idea what I am doing wrong? I'm surprised it's apparently working for everyone else when it's still querying mixed content.

I am loading the following:

./bower_components/yui/build/yui/yui.js
./bower_components/angular-feeds/app/angular-feeds/angular-feeds.min.js

Receiving the following error in console:

Mixed Content: The page at 'https://myURL' was loaded over HTTPS, but requested an insecure script 'http://query.yahooapis.com/v1/public/yql?q=select%20*%20from%20feed(0%2C12)…les.org%2Falltables.env&callback=YUI.Env.JSONP.yui_3_5_0_1_1486399588826_8'. This request has been blocked; the content must be served over HTTPS.

Any ideas?

[rkluszczynski]

@tdharris Hello, I was struggling with the same issue for a while. Please try to include other YUI dependencies. Based on my tests, I think that when they are missing, YUI is trying to download them over non secure connection. Here is my Gruntfile snapshot which started to work (as I remember):

                    'bower_components/yui/build/yui/yui.js',
                    'bower_components/yui/build/oop/oop.js',
                    'bower_components/yui/build/jsonp/jsonp.js',
                    'bower_components/yui/build/jsonp-url/jsonp-url.js',
                    'bower_components/yui/build/yql/yql.js',
                    'bower_components/yui/build/yql-jsonp/yql-jsonp.js',

Just as a note: I finally ended up parsing feeds in my service and I'm producing pure json for angular-feeds (which I change a bit). This would be nice feature for angular-feeds;)

HTH,
Rafal Kluszczynski

[tdharris]

Thanks for the suggestion, but I still receive the same error mentioned above. I am loading the following now:

'bower_components/yui/build/yui/yui.js'
'bower_components/yui/build/oop/oop.js'
'bower_components/yui/build/jsonp/jsonp.js'
'bower_components/yui/build/jsonp-url/jsonp-url.js'
'bower_components/yui/build/yql/yql.js'
'bower_components/yui/build/yql-jsonp/yql-jsonp.js'
'bower_components/angular-feeds/app/angular-feeds/angular-feeds.js'

Any ideas on what is missing? It seems to me that HTTPS is just not supported. I don't see any resources I am missing here.

[tdharris]

This isn't working quite right I think. Please checkout even the demo site with https:
https://siddii.github.io/angular-feeds/app/

The above has the same problem I was experiencing.