How do I force Disqus to use HTTPS on all requests?

Go To StackoverFlow.com

5

I'm loading Disqus on a page loaded via HTTPS with the following code, as suggested in this answer.

  <div id="disqus_thread"></div>
  <script type="text/javascript">
      var disqus_shortname = 'our-shortname';
      (function() {
          var dsq = document.createElement('script'); dsq.type = 'text/javascript'; dsq.async = true;
          dsq.src = 'https://' + disqus_shortname + '.disqus.com/embed.js?https';
          (document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(dsq);
      })();
  </script>

Note that I've changed the request of embed.js to be https rather than http, and I've added ?https to the end of the request too, which I believe is supposed to force HTTPS.

The initial request goes via HTTPS as planned, but it makes a secondary request via HTTP, which Chrome is hating (I get the red cross over padlock icon).

From the Chrome console:

The page at https://our-website.com/blog-post-name ran insecure content from http://juggler.services.disqus.com/event.js?thread=635675380&forum=our-shortname...[long query string]

Is this the correct method to get Disqus to use ssl on all requests, or have I missed a step?

Thanks.

2012-04-04 02:32
by doctororange


6

This looks to be an issue within Disqus itself. We had Disqus working fine via SSL with the same approach in a couple of Drupal sites, but both recently had Disqus begin causing SSL warnings in both IE and Chrome as you've described.

I did a bit of digging, and I see that the DISQUS.useSSL function that's defined in embed.js and called in thread.js updates a few URLS (specifically ["disqus_url","realtime_url","uploads_url"]) in the Disqus json settings object by replacing http in their URL with https if https is found in the settings. The juggler_url doesn't get the same treatment, and so it's not updated to load via SSL. I'm not sure what juggler's purpose is, but it appears that that URL (http://juggler.services.disqus.com/) won't load via SSL in any case, so even if it's url was changed to https, it still wouldn't work.

So perhaps Disqus has made a recent change, since we had this working previously? We're taking this up with them, since this doesn't appear to be a config issue on our end...

UPDATE:

Apaprently Disqus launched a new service that does not support SSL. This is what's generating the extra scripts that get loaded insecurely, thus triggering the security warning. Disqus disabled this new service (which they didn't tell us the name of) for our specific account, and now SSL is once again working as expected. So, the solution is to just ask them to make your account SSL compliant, and that should take care of it.

2012-04-04 16:11
by stockli
Thanks for sharing your research. Keep us posted if Disqus have some answers - doctororange 2012-04-05 00:43
I've updated the answer above with the solution.. - stockli 2012-04-09 15:31
Ours appears to have started working, so I expect they have since fixed the issue. Thanks again - doctororange 2012-04-11 03:03
Gimme a break Disqus what is the problem get it together! We are having this problem now on an ssl site - zanedev 2012-05-18 06:55
Yep, same. It was fine for a while, but then started requesting HTTP resources again. I've had to disable Disqus again.. - doctororange 2012-06-06 23:21
We've had the same issue... It loads securely, but won't post securely. So as soon as you post a comment you get an insecure content warning. We emailed Disqus about it, and they acknowledged the issue but provided no ETA for a fix. Too bad, considering the increasing use of HTTPS to prevent session sidejacking. Now we can't use Disqus on a lot of our sites... I know it's a free service, but fixing it and then breaking it again was kind of lame - stockli 2012-06-19 21:33


2

Found this article, which hands the solution: http://help.disqus.com/customer/portal/articles/542119-can-disqus-be-loaded-via-https-

Basically it's not possible (yet) with Disquss 2012, but switch it off and change the embed src so it uses https:// and add the ?https param:

dsq.src = 'https://' + disqus_shortname + '.disqus.com/embed.js?https';
2012-08-21 08:44
by Robarov
Have you verified that utilization of this method will allow for posts from both http and https, and new, clients? I made a haphazard switch a while back that so happens to look just like this. Later, I had a user report the first ever Disqus error. I reverted the change for fear that this was the cause. It may not have been, I don't know. It did seem to work - dyasta 2012-10-01 19:06


1

I have had this problem off and on for the past few months and have been forced to disable Disqus altogether. Initially I contacted Disqus to see if they could make the switch that disabled the non-SSl compliant feature on their side and this worked for a while but the mixed content problem kept re-occuring.

What seems to happen is that despite Disqus forcing the https version of its count.js javascript, count.js still redirects to mediacdn.disqus.com instead of securecdn.disqus.com for some reason. If one appends ?https manually in the plugin editor to force the redirect to the securecdn.disqus.com, the problem disappears in the first call to the CDN but in subsequent calls to the CDN with the query string ?https added to the count.js call, the redirect just reverts back to mediacdn.disqus.com. I've tried this numerous times.

The annoying thing about this issue is that the SSL page in question on my site creating the mixed content notification does not even have a comment section. So Disqus is loading its javascript needlessly on the page.

I like Disqus but it's unbelievable to me they wouldn't fix this issue by either allowing users to disable the javascript selectively or by implementing a secure cdn version that works in all cases. I am hoping they figure this out.

Also they told me that Disqus 2012 doesn't support HTTPS (although it will be in the future).

2012-07-14 02:01
by user1108280


0

Apaprently Disqus launched a new service that does not support SSL. This is what's generating the extra scripts that get loaded insecurely, thus triggering the security warning.

2019-01-13 20:38
by Özcan Haydaroglu