Secure and nonsecure warning in IE using https (SSL or TLS)

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Secure and nonsecure warning in IE using https (SSL or TLS)

Hugh Gibson-2
We've just been running our site using SSL (https).

Mostly it's fine but occasionally when changing the screen we get the
dialog saying "This page contains both secure and nonsecure items. Do you
want to display the nonsecure items?"

This last happened with iframe - see
www.mail-archive.com/[hidden email]/msg03282.html

In this case I have used Fiddler and intercepted the https stream, and
confirmed that at the point of clicking on the item in our application
where this warning appeared there was no request for an http item.

I found some information about possible causes at
http://weblogs.asp.net/rchartier/archive/2008/03/12/ie7-this-page-contains
-both-secure-and-nonsecure-items.aspx

and at the Microsoft KB article referenced there -
http://support.microsoft.com/kb/925014

An extract:

"
I found out that when you are manipulating a DOM element (lets say
creating a DIV tag), and are setting its style.background property to a
incomplete url, for example:

div.style.background="url(/images/message-top-left.png) ";

It seems that IE7 (and only IE7) will make this request over 443, but
treat the data as one of these pesky “nonsecure items”.

So, the work-around which I implemented was to specify the FULL url like:

div.style.background="url(“+prefix+“/images/message-top-left.png) ";

Where “prefix” is something along the lines of:

prefix = document.location.protocol + "//" + document.location.hostname;
"

and from the MS page:

"This problem occurs if the Web page script calls the removeChild()
method to delete a DIV element that references a background image."

A quick check shows a lot of calls to removeChild in the qooxdoo code.

It probably applies to trunk and 0.8 unless you have specifically
addressed it.

I've reported this as a bug at
http://bugzilla.qooxdoo.org/show_bug.cgi?id=1021

Hugh

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
qooxdoo-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel
Reply | Threaded
Open this post in threaded view
|

Re: Secure and nonsecure warning in IE using https (SSL or TLS)

Dioc

It seems that this problem is related to
http://bugzilla.qooxdoo.org/show_bug.cgi?id=890 bug #890 .
--
View this message in context: http://www.nabble.com/Secure-and-nonsecure-warning-in-IE-using-https-%28SSL-or-TLS%29-tp18215785p18232784.html
Sent from the qooxdoo-devel mailing list archive at Nabble.com.


-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
_______________________________________________
qooxdoo-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel
Reply | Threaded
Open this post in threaded view
|

Re: Secure and nonsecure warning in IE using https (SSL or TLS)

Hugh Gibson-2
> It seems that this problem is related to
> http://bugzilla.qooxdoo.org/show_bug.cgi?id=890 bug #890 .

Thanks, spot on. Looks like it's fixed in SVN now for 0.7.4, I'll have to
try it.

I searched for various keywords but missed 890.

Hugh

-------------------------------------------------------------------------
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
_______________________________________________
qooxdoo-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel
Reply | Threaded
Open this post in threaded view
|

Re: Secure and nonsecure warning in IE using https (SSL or TLS)

Hugh Gibson-2
> > It seems that this problem is related to
> > http://bugzilla.qooxdoo.org/show_bug.cgi?id=890 bug #890 .
>
> Thanks, spot on. Looks like it's fixed in SVN now for 0.7.4, I'll
> have to try it.

Verified fixed now from SVN. Thanks!

Hugh

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
qooxdoo-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/qooxdoo-devel