Fix: IIS and This page contains both secure and nonsecure items

Thursday, July 19, 2012

After moving a production site to use HTTPS exclusively (using the excellent IIS URL rewrite module), Internet Explorer 9 drove me nuts with the “Security Information” warning:

“This page contains both secure and nonsecure items. Do you want to display the nonsecure items?”

This was baffling, because the whole site was SSL using a genuine certificate and therefore had nothing nonsecure to send… At least I thought!

(I could get rid of the IE warning on my own machine by dumbing down the security with custom settings. However, I wanted a proper server-side fix.)

What I had missed was a script link in the HTML that someone had inserted:

The fix was to ensure that the link was to Google’s secure CDN:

It would be nice if the Internet Explorer warning included an option to “Show Me What Is Nonsecure On This Page” so we’d know what we’re getting into.

BTW, thanks to Ruslan for his valuable IIS URL rewriter module support blog at http://ruslany.net/2009/04/10-url-rewriting-tips-and-tricks/ .

Ken

Fastest way to determine the issue
Go to the page
Right click, view source, (CTRL-F) search for: http://

markvt - Saturday, July 21, 2012 8:07:01 AM

Just use //ajax.googleapis.com/... leave out http: or https: it'll use the right one based on the scheme of the current page

Joe - Saturday, July 21, 2012 2:59:56 PM

2 Comments