Hi there,
we love the profile widget (“Profile widget for My Website”) and use it within our application (https://unifyo.com) to show recent tweets of a contact inside Unifyo. However, it’s causing a mixed content vulnerability even though it’s loaded via https (https://widgets.twimg.com/j/2/widget.js).
Specifically, the css (http://widgets.twimg.com/j/2/widget.css), profile picture (in my case http://a0.twimg.com/profile_images/1644417223/BenFWirtz-handyelephant_normal.jpg ) and twitter icon (http://widgets.twimg.com/i/widget-bird.png) are loaded via http, which causes our application to fail some security reviews (e.g. for the Salesforce AppExchange).
How can we fix this?
Here the full implementation:
<div class="twitter-stream-container">
<script charset="utf-8" src="https://widgets.twimg.com/j/2/widget.js"></script>
<script>
new TWTR.Widget({
version: 2,
type: 'profile',
rpp: 4,
interval: 30000,
width: 175,
height: 300,
theme: {
shell: {
background: '#F6F6F6',
color: '#6F6F6F'
},
tweets: {
background: '#F6F6F6',
color: '#6F6F6F',
links: '#242424'
}
},
features: {
scrollbar: false,
loop: false,
live: false,
behavior: 'all'
}
}).render().setUser(window.location.search.substring(2)).start();
</script>
</div>
