Rob Chartier ~ Contemplation...

.NET, C#, Work, etc.

News






www.flickr.com
This is a Flickr badge showing public photos from Rob & Kat Chartier. Make your own badge here.


Even Quicker Links

IE7 : This page contains both secure and nonsecure items

I just spent about 4 hours trying to solve this really annoying error which only exists in Internet Explorer 7 (IE7) over a Secure (SSL) page.  I just stumbled upon the solution and it was just so damn obscure I felt I had better write it down or it will be forever lost in the bit-bucket that I call my brain.

Although my issue was related to using MIT’s Simile Timeline control it is not limited to that in any way (here is the URL to the defect).

 

So here is the error in question:

 

When prompted with this, as a veteran in the web world, I first turn to standard proxy tools, like Fiddler.  I look for the big gotchas where a HTTP request simple doesn’t go over HTTPS.  Another is if any requests are throwing back a 404 (document not found).  When that does help, next I common the IIS Log files, and see if anything is not going over port 443.  Simply fix anything that behaves badly and re-test.

When that does not fix the issue, what’s next?  Well next you need to dig into iframes.  If you have any iframes in your output (dynamic via Javascript/DOM or static on the page) be sure to specify the src attribute, and not just any src attribute will do.  Options include “#”, or “javascript:void(0);” or even "javascript:'<html></html>';".    Play with these and other which Google will turn up and decide which is your best option.

My next inclination was to do a deep dive into the Javascript world and start debugging the crap out of things.  This really did not bear much fruit at all.  It was actually quite frustrating.  –Try to avoid this as much as possible, but if you do make use of both the alert(‘’); and debugger; calls.

Now when that does not bear any fruit it’s time to really dig deep.  I found out that when you are manipulating a DOM element (lets say creating a DIV tag), and are setting its style.background property to a incomplete url, for example:

div.style.background="url(/images/message-top-left.png) ";

It seems that IE7 (and only IE7) will make this request over 443, but treat the data as one of these pesky “nonsecure items”.

So, the work-around which I implemented was to specify the FULL url like:

div.style.background="url(“+prefix+“/images/message-top-left.png) ";

Where “prefix” is something along the lines of:

prefix = document.location.protocol + "//" + document.location.hostname;

 

Finally, if that is a dead end as well, consider the idea of cutting the feature out of the next release!

 

References, more help:

http://friedcellcollective.net/outbreak/2006/06/09/this-page-contains-both-secure-and-nonsecure-items/

http://support.microsoft.com/kb/925014

 

 

Posted: Mar 12 2008, 07:01 PM by Rob Chartier | with 26 comment(s) |
Filed under: , , , , ,

Comments

Ahmad Rahman (ahmad@trustit.ca) said:

I have tried what i think is everything on a site we just developed and can't figure it out.  The site is http://www.te ch or ium.c om (remove spaces).  To see the issue (in IE) just add any product to the cart and then go to check out and the infamous message secure/nonsecure appears.  Any suggestions will be greatly appreciated.  I have even tried removing the entire header and left column which use background images, and even disabled the CSS completely, to no avail.

Thanks.

# March 17, 2008 1:29 PM

Caedmon said:

Are there any references for the logic that IE7 is using to determine what is "mixed content" page?  I'm trying to get my SSL area to stop popping up this message.  I am having a tough time finding any holes in the page/logic.  But, it still insists that it is mixed content.

Thx!!

# March 24, 2008 12:19 PM

Someone said:

You should try to use a Fiddler tool. I have the same problem and I have read this tool can help resolve this problem. I don't know how to use so it is all I can help.

# May 4, 2008 7:01 AM

this page contains both secure and nonsecure said:

Pingback from  this page contains both secure and nonsecure

# July 3, 2008 1:13 AM

john said:

Hi, I´m having that problem in timeline myself.

Can you tell me where or the files where you made this changes ?

Thanks

# September 10, 2008 2:43 PM

Olivia said:

When you receive the error message, click Yes.

In Internet Explorer, go to Tools, Internet Options, click the Security tab; make sure that in "Select a zone..." window that Internet is selected.

Click Custom Level and scroll down about half way to "Display mixed content" in the Miscellaneous section.

Change it from Prompt to Enable.

Click OK, Yes, and OK. The change should take effect immediately.

IT SOLVES THE PROBLEM!!! ;)

# October 14, 2008 3:39 PM

ysth said:

Thanks, this was very helpful.

# October 24, 2008 4:58 PM

Esen said:

Thanks,

Finally URL('image') helped me to fix my issue with non secure item.

Thanks once again

# October 25, 2008 4:34 PM

Ramya said:

Setting the "Dispaly mixed content" setting needs to be done on the client side...we will have no control on this.... So it is not that  

# December 9, 2008 4:34 AM

Iritante popup in IE met SSL - webhostingtalk.nl said:

Pingback from  Iritante popup in IE met SSL - webhostingtalk.nl

# December 24, 2008 6:09 PM

Martin said:

Thank you for a great article! It saved my ass :).

# January 8, 2009 11:33 AM

Init said:

I just had the same problem myself. I had just made HTTPS mandatory on our web site, and this warning was issued in IE. After a while, I realized that the Flash animation also contains a link (to download the plugin), and changing that one to https solved my problem. Don't forget that one if you have one.

# April 22, 2009 1:36 AM

IE security warning - Articulate Community Forums said:

Pingback from  IE security warning - Articulate Community Forums

# June 10, 2009 12:12 PM

Jon Galloway said:

If you use IE8, you’ve probably puzzled over this dialog dozens of times: It’s kind of an odd question

# October 15, 2009 4:55 AM

garhol said:

re: olivia

IT SOLVES THE PROBLEM!!! ;)

No, it hides the problem and opens your system up to allow insecure content on a secure page. The problem needs to be fixed at the page as show in the article. It does not require you to lessen your security.

When someone opens their security settings to "fix" a badly coded site they also open themselves up to cross site scripting and other attacks.

# October 20, 2009 5:19 AM

tk. said:

Thanks for this, an insidious thing to find. I worked around it by, rather than setting an absolute path, setting the classname of the object. If the stylesheet has the background attribute with a relative path, it doesn't mind.

# November 6, 2009 4:40 PM

Silverlight and Https. This page contains both secure and non-secure items « Jean-=Pierre Fouche's Blog said:

Pingback from  Silverlight and Https. This page contains both secure and non-secure items &laquo; Jean-=Pierre Fouche&#039;s Blog

# November 19, 2009 7:20 AM

azshah said:

Thank you for the article. I am having this issue with one of our sites there are lots of http links on the site let me remove them and lets see if that will help. IE is annoying to start with :P.

# November 27, 2009 10:41 AM

Sreekanth said:

javascript:false has actually fixed my problem, but there was another issue that got introduced, which didn't allow other parameters being read by the subsequent javascript routines. Instead tried javascript:void(0) and has fixed the problem.

# January 29, 2010 9:49 AM

Aaron Johnson – Links: 3-8-2010 said:

Pingback from  Aaron Johnson &#8211;   Links: 3-8-2010

# March 9, 2010 4:16 AM

usman said:

Check for all the postback urls of the page and image urls whether they contain http or https. Normally this problem occurs when page on secure connection contains http references.

# May 12, 2010 1:37 AM

michael236 said:

Sweet!  Thanks, this worked perfectly.

# May 25, 2010 6:10 PM

Rene Ramos said:

After many hours of researching why IE 7 (only) was displaying the "this page contains both secure and etc..." message, I came across an entry on friedcellcollective.net/.../this-page-contains-both-secure-and-nonsecure-items.  It stated, among other things, that a src='about:blank' loads as nonsecure.  I performed a search for any code reference to "about:blank" and found that the jquery plugin colorbox.js loads an iframe with the src='about:blank'.  As suggested on the friedcellcollective.net, I replaced the 'about:blank' source to a blank html page and the problem went away.

Hope this saves many from head aches and long hours of research.

# August 23, 2010 10:53 AM

sam said:

Removing relative paths from the src tags could also be helpful!

However this article saved me today!!!! thanks a ton to whoever wrote it.

# August 24, 2010 11:48 AM

Identify “non-secure” content IE warns about Drija said:

Pingback from  Identify &#8220;non-secure&#8221; content IE warns about Drija

# April 27, 2011 11:14 PM

Avoiding security errors with http and https links | Web 2 Market Developer Blog said:

Pingback from  Avoiding security errors with http and https links | Web 2 Market Developer Blog

# September 28, 2011 10:11 PM
Leave a Comment

(required) 

(required) 

(optional)

(required)