Rob Chartier ~ Contemplation...

.NET, C#, Work, etc.

News






www.flickr.com
This is a Flickr badge showing public photos from Rob & Kat Chartier. Make your own badge here.


Even Quicker Links

IE7 : This page contains both secure and nonsecure items

I just spent about 4 hours trying to solve this really annoying error which only exists in Internet Explorer 7 (IE7) over a Secure (SSL) page.  I just stumbled upon the solution and it was just so damn obscure I felt I had better write it down or it will be forever lost in the bit-bucket that I call my brain.

Although my issue was related to using MIT’s Simile Timeline control it is not limited to that in any way (here is the URL to the defect).

 

So here is the error in question:

 

When prompted with this, as a veteran in the web world, I first turn to standard proxy tools, like Fiddler.  I look for the big gotchas where a HTTP request simple doesn’t go over HTTPS.  Another is if any requests are throwing back a 404 (document not found).  When that does help, next I common the IIS Log files, and see if anything is not going over port 443.  Simply fix anything that behaves badly and re-test.

When that does not fix the issue, what’s next?  Well next you need to dig into iframes.  If you have any iframes in your output (dynamic via Javascript/DOM or static on the page) be sure to specify the src attribute, and not just any src attribute will do.  Options include “#”, or “javascript:void(0);” or even "javascript:'<html></html>';".    Play with these and other which Google will turn up and decide which is your best option.

My next inclination was to do a deep dive into the Javascript world and start debugging the crap out of things.  This really did not bear much fruit at all.  It was actually quite frustrating.  –Try to avoid this as much as possible, but if you do make use of both the alert(‘’); and debugger; calls.

Now when that does not bear any fruit it’s time to really dig deep.  I found out that when you are manipulating a DOM element (lets say creating a DIV tag), and are setting its style.background property to a incomplete url, for example:

div.style.background="url(/images/message-top-left.png) ";

It seems that IE7 (and only IE7) will make this request over 443, but treat the data as one of these pesky “nonsecure items”.

So, the work-around which I implemented was to specify the FULL url like:

div.style.background="url(“+prefix+“/images/message-top-left.png) ";

Where “prefix” is something along the lines of:

prefix = document.location.protocol + "//" + document.location.hostname;

 

Finally, if that is a dead end as well, consider the idea of cutting the feature out of the next release!

 

References, more help:

http://friedcellcollective.net/outbreak/2006/06/09/this-page-contains-both-secure-and-nonsecure-items/

http://support.microsoft.com/kb/925014

 

 

Comments

Caedmon said:

Are there any references for the logic that IE7 is using to determine what is "mixed content" page?  I'm trying to get my SSL area to stop popping up this message.  I am having a tough time finding any holes in the page/logic.  But, it still insists that it is mixed content.

Thx!!

# March 24, 2008 12:19 PM

Someone said:

You should try to use a Fiddler tool. I have the same problem and I have read this tool can help resolve this problem. I don't know how to use so it is all I can help.

# May 4, 2008 7:01 AM

john said:

Hi, I´m having that problem in timeline myself.

Can you tell me where or the files where you made this changes ?

Thanks

# September 10, 2008 2:43 PM

Olivia said:

When you receive the error message, click Yes.

In Internet Explorer, go to Tools, Internet Options, click the Security tab; make sure that in "Select a zone..." window that Internet is selected.

Click Custom Level and scroll down about half way to "Display mixed content" in the Miscellaneous section.

Change it from Prompt to Enable.

Click OK, Yes, and OK. The change should take effect immediately.

IT SOLVES THE PROBLEM!!! ;)

# October 14, 2008 3:39 PM

ysth said:

Thanks, this was very helpful.

# October 24, 2008 4:58 PM

Esen said:

Thanks,

Finally URL('image') helped me to fix my issue with non secure item.

Thanks once again

# October 25, 2008 4:34 PM

Ramya said:

Setting the "Dispaly mixed content" setting needs to be done on the client side...we will have no control on this.... So it is not that  

# December 9, 2008 4:34 AM

Martin said:

Thank you for a great article! It saved my ass :).

# January 8, 2009 11:33 AM

Init said:

I just had the same problem myself. I had just made HTTPS mandatory on our web site, and this warning was issued in IE. After a while, I realized that the Flash animation also contains a link (to download the plugin), and changing that one to https solved my problem. Don't forget that one if you have one.

# April 22, 2009 1:36 AM

garhol said:

re: olivia

IT SOLVES THE PROBLEM!!! ;)

No, it hides the problem and opens your system up to allow insecure content on a secure page. The problem needs to be fixed at the page as show in the article. It does not require you to lessen your security.

When someone opens their security settings to "fix" a badly coded site they also open themselves up to cross site scripting and other attacks.

# October 20, 2009 5:19 AM

tk. said:

Thanks for this, an insidious thing to find. I worked around it by, rather than setting an absolute path, setting the classname of the object. If the stylesheet has the background attribute with a relative path, it doesn't mind.

# November 6, 2009 4:40 PM

azshah said:

Thank you for the article. I am having this issue with one of our sites there are lots of http links on the site let me remove them and lets see if that will help. IE is annoying to start with :P.

# November 27, 2009 10:41 AM

Sreekanth said:

javascript:false has actually fixed my problem, but there was another issue that got introduced, which didn't allow other parameters being read by the subsequent javascript routines. Instead tried javascript:void(0) and has fixed the problem.

# January 29, 2010 9:49 AM

usman said:

Check for all the postback urls of the page and image urls whether they contain http or https. Normally this problem occurs when page on secure connection contains http references.

# May 12, 2010 1:37 AM

michael236 said:

Sweet!  Thanks, this worked perfectly.

# May 25, 2010 6:10 PM

sam said:

Removing relative paths from the src tags could also be helpful!

However this article saved me today!!!! thanks a ton to whoever wrote it.

# August 24, 2010 11:48 AM

Christmas said:

Hi there! Do you know if they make any plugins

to safeguard against hackers? I'm kinda paranoid about losing everything I've worked hard on.

Any tips?

# April 19, 2013 2:21 AM

Guillaume said:

One more to add to the list:

"background: url(data:....)"

This is triggering the warning message on IE7 too

# May 23, 2013 7:37 AM