Using Google Firebase in my ios swift app, I found the infamous message in my console output:
App Transport Security has blocked a cleartext HTTP (http://) resource load since it is insecure. Temporary exceptions can be configured via your app's Info.plist file.
Using the method here, I was able to find that this is triggered by a request to load http://www.google-analytics.com/ga.js, which is presumably from Firebase Analytics.
Do I need to add an exception for this?
I'm using the firebase/analytics module (firebase 7.1.0) inside a react app using firebase hosting and I was getting an error trying to load the googletagmanager (which I am NOT doing explicitly, it is coming from the module).
Mixed Content: The page at 'https://example.com/' was loaded over HTTPS, but requested an insecure script 'http://www.googletagmanager.com/gtag/js?id=someGTM-id'. This request has been blocked; the content must be served over HTTPS.
I am not importing google analytics from inside the index.html file, rather I am loading firebase/analytics from a javascript file with basically:
import firebase from 'firebase/app';
import 'firebase/analytics';
const firebaseConfig = {
apiKey: "api-key",
authDomain: "project-id.firebaseapp.com",
databaseUrl: "https://project-id.firebaseio.com",
projectId: "project-id",
storageBucket: "project-id.appspot.com",
messagingSenderId: "sender-id",
appId: "app-id",
measurementId: "G-measurement-id",
};
firebase.initializeApp(firebaseConfig);
firebase.analytics();
I found: https://developers.google.com/web/fundamentals/security/prevent-mixed-content/fixing-mixed-content
And fixed it by placing the following line inside my index.html file:
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
http://www.google-analytics.com/ga.js is not used by Firebase. Perhaps one of the other SDKs you are using accesses this script.
You do if you wish to use Firebase Analytics. Alternatively, you can disable analytics in the Firebase plist file.
