FWIW, in Chrome (32) there's a straightforward workaround -- let the page load fail, click the shield icon at the right edge of the URL bar, and use the "Load insecure scripts" button, which will take effect for that page only.
However, while there may be workarounds by tinkering with the browser security policy, mixed-content blocking is there for a good reason, regardless of the presumed locality of the network resource, and browsers aren't going to back off on it -- some don't even support disabling it, and policy implementations vary with what can be turned off (AFAIK, Chrome and Firefox both draw a distinction between purely passive content, e.g. images, and everything else, but the content being pulled off the flukso device is a JSON callback, so no help there.) This really ought to be redesigned to work in modern browsers.
I can see a few possible fixes:
- stop serving the flukso UI, or at least the "minute" view, over SSL (bleh)
- serve the graph UI, or at least the minute view, off the device (hard to update)
- have the UI trigger realtime sending of sensor samples out to the flukso servers and back again (higher latency, especially up front since to do it passively requires waiting for the next sensor pulse to trigger realtime mode)
- expose the RESTful port on the Internet and proxy it that way (expect a lot of compromised flukso devices)
- serve SSL off the flukso device itself
I played with that last option. Got my flukso unit serving over SSL by upgrading its uhttpd slightly (getting off the backfire RC5 to the release version), installing uhttpd-mod-tls and generating a cert/key. With a free CACert-issued certificate it's even valid so far as my browser is concerned, but that's not going to help a typical user. To actually use the SSL the browser would have to be told to, and the device URL is being generated inside obfuscated JS served up from the flukso servers, so we're left with client-side patching again.
One interesting possibility would be to register a wildcard cert, say *.devices.flukso.net, push the cert/key to every device, and start serving SSL from uhttpd. To pass the SSL CN check you'd need a custom DNS server that could make, say 192-168-1-1.devices.flukso.net resolve to 192.168.1.1, but that's doable. Wildcard certs from browser-accepted CA roots aren't free, but it's a cost only paid once (annually), not per-device, and requires no end-user changes.
folks,
in minute mode i get these messages non stop so that seems to indicate i should be able to see the minute data . if i load those pages manually i see the values.
Loading mixed (insecure) active content on a secure page "http://10.0.1.21:8080/sensor/........1e.js:7985
GET http://10.0.1.21:8080/sensor/... [Mixed Content][HTTP/1.1 200 OK 89ms]
what i do not know yet is how this is 'implemented' to the gui .
i keep seeing the hour tab and thats it. maybe someone can post a SS of their minute tab?
i tried multiple browsers. perhaps i am overlooking something?
Johan Crols |
I still have the same problem as described initially. If I try the workaround in FF, or Chrome, nothing happens when I click on the "minute" tab (in FF it keeps on displaying the hourly values, in Chrome I get a blank page)...
Thanks for the link, but I don't have the right IT skills to make anything from the post you refer to :-(. I gather from this that there is no easy solution within a regular browser to solve the minute-display issue? Or is there another browser out there that doesn't have the mentioned problem(s)? I'm running on OS X...
Thanks. Unfortunately I'm an apple boy... No apple alternatives?
Lusili |
In fact I'm too! I've been searching for an IOS app but without success till now. There is one (readings - water, gas & electricity) but it's expensive and to my opinion not the money worth ( no realtime data and useless graphs).
Anyone else maybe?
gebhardm |
As I also use a Macintosh (OS X 10.9.4) please see on how it works for me using Firefox 31 --> https://github.com/gebhardm/energyhacks/blob/master/Flukso/Flukso_minute...
Intrestingly the minute dash works instantly in Safari 7.0.5 w/ Javascript on...
For completeness: I have an FLM v2A, firmware 232; but honestly I doubt that the server part of a v2B is different with respect to the dash visualization
Johan Crols |
Unfortunately... :-(. Neither Firefox works the way you described, neither Safari (with Java on)... What I did see is that I have 2 sensors in the sensor tab that I did not configure ("electricity smart-main" and "gas smart-main"). Those 2 sensors were not added by me (but were there automatically when I added the v2B) and it's those sensors for which I get the error message... So it might have something to do with the B version after all...?
icarus75 |
@Johan Crols I've disabled the inactive sensors on your FLM02B. Could you re-check the working of the minute tab?
Johan Crols |
Works like a charm! Just 1 remark, can you re-activate one of the sensors again please? In addition to the smart-elec and smart-gas, you have also de-activated the "solar garage". However there will be an additional array of solar panels being installed in 2 weeks that will be connected to that sensor. Thanks!
Johan Crols |
@Icarus75 Forget what I just wrote about the additional sensor - I'll activate the sensor once they've placed the solar panels myself, to avoid inactive readings again.
Lusili |
@Icarus75
Bart,
Maybe that's the reason my minute tab is not working either. I also have main-electricity and main-gas sensors i didn't install myself. Is it possible to disable them?
Ps now i'm on a holiday so i can 't check the impact right now but in the meantime maybe you can do it and i let you know something when i get back.
Thanks!
Lusili |
@Icarus75
For a good understanding: the SMART MAIN sensors are to be disabled.
Johan Crols |
Is there a way we can Disable them ourselves? I didn't see them in the setup screens...
coder |
@JC
of course ,
login to your flukso device and its all there under the sensor tab
@thread
i checked mine and only my sensor 1,4 and 5 is active. the rest is disabled.
so if that "disable fix" was a possible workaround for some it wasn't for me.
o yeah and i tried old firefox versions and even from a virtual XP box and a safari for windows too :)
my flukso is on another subnet but so are many of my home devices that are perfectly reachable. there is only a pfsense firewall in between and he doesnt show any blocked flukso traffic.
once you got to the point your PC can grab the data from port 8080 and your debug browser tells you "Loading mixed (insecure) active content on a secure page "http://10.0.1.21:8080/sensor...."
what else can be done? should you not see the real time traffic almost instantly ?
from my point of view this looks a programming issue.
challenge me wrong :)
Johan Crols |
@coder: no it was not in the sensor tab... Not those 2 sensors that were disabled...
Tommyville |
I have this problem too, seems intermittent sometimes it loads on safari on iPad / iPhone sometimes it doesn't...
Sometimes refreshing a few times helps. Even tried clearing browsing data ect..
Ricstar |
Mine is FLM02A. FW-232
I am a new user and frustrated trying to find answers and all old threads that leave us with no results.
So hopefully this will save a few hours for someone else.
Firefox 36.XX Works. When selecting Minute tab, click on shield just left of web URL and an "Insecure Content" box is displayed - Select [Options] - "Disable Protection". Then all is goodness
When finished viewing minute dash, click again on the shield, [Option] and "Enable Protection"
Opera 28.0 for Windows also works.
Log into Flukso as usual.
In the Dash select Hour. Then select to view Minutes.
In the URL bar to the right you will see a message pop up "O Content blocked" and then turns to a O with a cross through it. Click on the icon and a "Block Insecure Content" box opens up. Click on [Unblock]. No option to block again. Can only close the tab.
Also Firefox for Android works. verison on Google Store as of March 2015.
When FF is open - In the MENU section, where you have New Tab, Find in Page, Tools, Settings, you will also find a "Request Desktop Site"
When opening Flukso dash in the desktop version you get the protection shield in the URL bar. So same as a Windows FF browser, tap on the shield to bring up the window for protection, selection options and disable protection for the session.
All is goodness. :)
Jeremy |
The "shield" solution doesn't work for me. I'm using an iMac 10.11.3, FireFox 40.0.3, the small shield has a red diagonal line through it, indicating that protection is disabled. The iMac and FLM are both connected to the same WiFi access point. I've also connected to the FLM via Ethernet and confirmed that the "enable real time measurements" check box is enabled. The FLM has firmware 247. I've also tried using Chrome browser on iMac, Chrome on a Windows 7 laptop, and Safari on an iPad.
FWIW, in Chrome (32) there's a straightforward workaround -- let the page load fail, click the shield icon at the right edge of the URL bar, and use the "Load insecure scripts" button, which will take effect for that page only.
However, while there may be workarounds by tinkering with the browser security policy, mixed-content blocking is there for a good reason, regardless of the presumed locality of the network resource, and browsers aren't going to back off on it -- some don't even support disabling it, and policy implementations vary with what can be turned off (AFAIK, Chrome and Firefox both draw a distinction between purely passive content, e.g. images, and everything else, but the content being pulled off the flukso device is a JSON callback, so no help there.) This really ought to be redesigned to work in modern browsers.
I can see a few possible fixes:
- stop serving the flukso UI, or at least the "minute" view, over SSL (bleh)
- serve the graph UI, or at least the minute view, off the device (hard to update)
- have the UI trigger realtime sending of sensor samples out to the flukso servers and back again (higher latency, especially up front since to do it passively requires waiting for the next sensor pulse to trigger realtime mode)
- expose the RESTful port on the Internet and proxy it that way (expect a lot of compromised flukso devices)
- serve SSL off the flukso device itself
I played with that last option. Got my flukso unit serving over SSL by upgrading its uhttpd slightly (getting off the backfire RC5 to the release version), installing uhttpd-mod-tls and generating a cert/key. With a free CACert-issued certificate it's even valid so far as my browser is concerned, but that's not going to help a typical user. To actually use the SSL the browser would have to be told to, and the device URL is being generated inside obfuscated JS served up from the flukso servers, so we're left with client-side patching again.
One interesting possibility would be to register a wildcard cert, say *.devices.flukso.net, push the cert/key to every device, and start serving SSL from uhttpd. To pass the SSL CN check you'd need a custom DNS server that could make, say 192-168-1-1.devices.flukso.net resolve to 192.168.1.1, but that's doable. Wildcard certs from browser-accepted CA roots aren't free, but it's a cost only paid once (annually), not per-device, and requires no end-user changes.
See also https://www.flukso.net/content/error-call-sensor-experienced-timeout-you...
message to be closed (as actually no news are expected to occur)
folks,
in minute mode i get these messages non stop so that seems to indicate i should be able to see the minute data . if i load those pages manually i see the values.
Loading mixed (insecure) active content on a secure page "http://10.0.1.21:8080/sensor/........1e.js:7985
GET http://10.0.1.21:8080/sensor/... [Mixed Content][HTTP/1.1 200 OK 89ms]
what i do not know yet is how this is 'implemented' to the gui .
i keep seeing the hour tab and thats it. maybe someone can post a SS of their minute tab?
i tried multiple browsers. perhaps i am overlooking something?
I still have the same problem as described initially. If I try the workaround in FF, or Chrome, nothing happens when I click on the "minute" tab (in FF it keeps on displaying the hourly values, in Chrome I get a blank page)...
Have a look at this recent post:
https://www.flukso.net/content/minute-tab-dash
Thanks for the link, but I don't have the right IT skills to make anything from the post you refer to :-(. I gather from this that there is no easy solution within a regular browser to solve the minute-display issue? Or is there another browser out there that doesn't have the mentioned problem(s)? I'm running on OS X...
I think we have to be a little bit patient. In the meantime i'm using the app "Energy Control" for Android.
Nice alternative! More info:
https://www.flukso.net/content/android-app-fluksometer
Thanks. Unfortunately I'm an apple boy... No apple alternatives?
In fact I'm too! I've been searching for an IOS app but without success till now. There is one (readings - water, gas & electricity) but it's expensive and to my opinion not the money worth ( no realtime data and useless graphs).
Anyone else maybe?
As I also use a Macintosh (OS X 10.9.4) please see on how it works for me using Firefox 31 --> https://github.com/gebhardm/energyhacks/blob/master/Flukso/Flukso_minute...
Intrestingly the minute dash works instantly in Safari 7.0.5 w/ Javascript on...
For completeness: I have an FLM v2A, firmware 232; but honestly I doubt that the server part of a v2B is different with respect to the dash visualization
Unfortunately... :-(. Neither Firefox works the way you described, neither Safari (with Java on)... What I did see is that I have 2 sensors in the sensor tab that I did not configure ("electricity smart-main" and "gas smart-main"). Those 2 sensors were not added by me (but were there automatically when I added the v2B) and it's those sensors for which I get the error message... So it might have something to do with the B version after all...?
@Johan Crols I've disabled the inactive sensors on your FLM02B. Could you re-check the working of the minute tab?
Works like a charm! Just 1 remark, can you re-activate one of the sensors again please? In addition to the smart-elec and smart-gas, you have also de-activated the "solar garage". However there will be an additional array of solar panels being installed in 2 weeks that will be connected to that sensor. Thanks!
@Icarus75 Forget what I just wrote about the additional sensor - I'll activate the sensor once they've placed the solar panels myself, to avoid inactive readings again.
@Icarus75
Bart,
Maybe that's the reason my minute tab is not working either. I also have main-electricity and main-gas sensors i didn't install myself. Is it possible to disable them?
Ps now i'm on a holiday so i can 't check the impact right now but in the meantime maybe you can do it and i let you know something when i get back.
Thanks!
@Icarus75
For a good understanding: the SMART MAIN sensors are to be disabled.
Is there a way we can Disable them ourselves? I didn't see them in the setup screens...
@JC
of course ,
login to your flukso device and its all there under the sensor tab
@thread
i checked mine and only my sensor 1,4 and 5 is active. the rest is disabled.
so if that "disable fix" was a possible workaround for some it wasn't for me.
o yeah and i tried old firefox versions and even from a virtual XP box and a safari for windows too :)
my flukso is on another subnet but so are many of my home devices that are perfectly reachable. there is only a pfsense firewall in between and he doesnt show any blocked flukso traffic.
once you got to the point your PC can grab the data from port 8080 and your debug browser tells you "Loading mixed (insecure) active content on a secure page "http://10.0.1.21:8080/sensor...."
what else can be done? should you not see the real time traffic almost instantly ?
from my point of view this looks a programming issue.
challenge me wrong :)
@coder: no it was not in the sensor tab... Not those 2 sensors that were disabled...
I have this problem too, seems intermittent sometimes it loads on safari on iPad / iPhone sometimes it doesn't...
Sometimes refreshing a few times helps. Even tried clearing browsing data ect..
Mine is FLM02A. FW-232
I am a new user and frustrated trying to find answers and all old threads that leave us with no results.
So hopefully this will save a few hours for someone else.
Firefox 36.XX Works. When selecting Minute tab, click on shield just left of web URL and an "Insecure Content" box is displayed - Select [Options] - "Disable Protection". Then all is goodness
When finished viewing minute dash, click again on the shield, [Option] and "Enable Protection"
Opera 28.0 for Windows also works.
Log into Flukso as usual.
In the Dash select Hour. Then select to view Minutes.
In the URL bar to the right you will see a message pop up "O Content blocked" and then turns to a O with a cross through it. Click on the icon and a "Block Insecure Content" box opens up. Click on [Unblock]. No option to block again. Can only close the tab.
Also Firefox for Android works. verison on Google Store as of March 2015.
When FF is open - In the MENU section, where you have New Tab, Find in Page, Tools, Settings, you will also find a "Request Desktop Site"
When opening Flukso dash in the desktop version you get the protection shield in the URL bar. So same as a Windows FF browser, tap on the shield to bring up the window for protection, selection options and disable protection for the session.
All is goodness. :)
The "shield" solution doesn't work for me. I'm using an iMac 10.11.3, FireFox 40.0.3, the small shield has a red diagonal line through it, indicating that protection is disabled. The iMac and FLM are both connected to the same WiFi access point. I've also connected to the FLM via Ethernet and confirmed that the "enable real time measurements" check box is enabled. The FLM has firmware 247. I've also tried using Chrome browser on iMac, Chrome on a Windows 7 laptop, and Safari on an iPad.