Fix: IIS and This page contains both secure and nonsecure items

After moving a production site to use HTTPS exclusively (using the excellent IIS URL rewrite module), Internet Explorer 9 drove me nuts with the “Security Information” warning:

“This page contains both secure and nonsecure items. Do you want to display the nonsecure items?”

This was baffling, because the whole site was SSL using a genuine certificate and therefore had nothing nonsecure to send… At least I thought!

(I could get rid of the IE warning on my own machine by dumbing down the security with custom settings. However, I wanted a proper server-side fix.)

What I had missed was a script link in the HTML that someone had inserted:

<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js"></script>

The fix was to ensure that the link was to Google’s secure CDN:

<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js"></script>

It would be nice if the Internet Explorer warning included an option to “Show Me What Is Nonsecure On This Page” so we’d know what we’re getting into.

BTW, thanks to Ruslan for his valuable IIS URL rewriter module support blog at http://ruslany.net/2009/04/10-url-rewriting-tips-and-tricks/ .

Ken

Published Thursday, July 19, 2012 12:32 PM by Ken Cox [MVP]

Comments

# re: Fix: IIS and This page contains both secure and nonsecure items

Saturday, July 21, 2012 8:07 AM by markvt

Fastest way to determine the issue

Go to the page

Right click, view source, (CTRL-F) search for: http://

# re: Fix: IIS and This page contains both secure and nonsecure items

Saturday, July 21, 2012 2:59 PM by Joe

Just use //ajax.googleapis.com/... leave out http: or https: it'll use the right one based on the scheme of the current page

Leave a Comment

(required) 
(required) 
(optional)
(required)