LTI 1.3 Mixed Content Warning

Jump to solution
ScottHurrey
Community Member

Hello, I am building an LTI 1.3 integration. I have everything registered in my AWS AMI based on bitnami-canvaslms-2022.4.27-212-0-linux-debian-10-x86_64-hvm-ebs-nami-752b37a4-d309-4bda-b662-6bc16b5eaf49. When I click the link to my application, it never loads. In my application I see the OIDC login, but it never loads the launch. I am using pylti1p3 and Flask with Python 3.9.2.

What I see in the javascript console is:

 

Mixed Content: The page at 'https://3.235.21.25/courses/1/assignments' was loaded over HTTPS, but requested an insecure frame 'http://canvas.test/api/lti/authorize_redirect?scope=openid&response_type=id_token&response_mode=form_post&prompt=none&client_id=10000000000002&redirect_uri=https%3A%2F%2Fbox-lti.herokuapp.com%2Flaunch%2F&state=state-a5a2b71f-d9ec-4b2a-ab14-64d320d6ef17&nonce=a0722c6503e14f3d9c5cebfe5baa857feb761b7cf40011eca80dda7f7cbc7b0c&login_hint=c822a4f6c58d1a4b31c66d3903d634dd75556570&lti_message_hint=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ2ZXJpZmllciI6IjE2MjA1MjliYWMzOTBjZTMyZjA2NDJlMWQ0YTQ5MGQ0MzRkZDk1ZWU4ZTNkOWIzZTQyZWRiZWUxN2MyOTczZmIyM2IxNTEyNjU2ZjExODQ3YzE5ZDE5N2YwM2U3MGE0MzE1ZDBkMTcwN2Y0Yzg3NDVjMGZkNzAyZTQ0N2NmMGZiIiwiY2FudmFzX2RvbWFpbiI6IjMuMjM1LjIxLjI1IiwiY29udGV4dF90eXBlIjoiQ291cnNlIiwiY29udGV4dF9pZCI6MTAwMDAwMDAwMDAwMDEsImNhbnZhc19sb2NhbGUiOiJlbiIsImV4cCI6MTY1NjEwNDgyN30.AZ7yGSLTaj1TQEBXsCYgP15_ot9kL93mM6WnrfXK2ag'. This request has been blocked; the content must be served over HTTPS.

 

It points to the following code:

        function checkCookiesAllowed() {
            var cookie = "lti1p3_test_cookie=1; path=/";
            if (siteProtocol === 'https') {
                cookie = cookie + '; SameSite=None; secure';
            }
            document.cookie = cookie;
            var res = document.cookie.indexOf("lti1p3_test_cookie") !== -1;
            if (res) {
                // remove test cookie and reload page
                document.cookie = "lti1p3_test_cookie=1; expires=Thu, 01-Jan-1970 00:00:01 GMT";
                displayLoadingBlock();
                window.location.href = getUpdatedUrl();
            } else {
                displayWarningBlock();
            }
        }

 

Specifically on the line: window.location.href = getUpdatedUrl();

I'm not quite sure where canvas.test is coming from. It does load just fine in other LMS sandboxes, but I'm new to Canvas, so I'm definitely aware that I'm probably missing something dumb. LOL Please let me know if there is additional information I can provide.

I couldn't find any mention of this elsewhere, so I greatly appreciate any guidance.

Thanks in advance!

Labels (4)
0 Likes
1 Solution
ScottHurrey
Community Member
Looks like that code is actually in the LTI Library, so nothing to see here... haha

View solution in original post

0 Likes