I have a page that is under SSL.

However, in IE6, I get a notification:

"This page contains both secure and non-secure items" etc.

I've looked at all the HTTP requests for that page in both Firebug and Wireshark, and none of it seems to be sent over plain HTTP, all the resources are being fetched over SSL/TLS. However, IE6 still gives the non-sure items notification.

I've also tried fiddler and charles proxies, and they also show all requests being made to SSL port 443.
Even firebug shows that all the requests seem to be made through HTTPS.

Has anyone come across something similar and know what is triggering IE's non-secure items message?

7 Years
Discussion Span
Last Post by digital-ether

IE6 currently has about 10% of the market in browsers, so you may not need to worry about this for very long.


IE6 currently has about 10% of the market in browsers, so you may not need to worry about this for very long.

I know, but right now I do have to worry. :)


I had this error from referring to http files inside a https location. Apparently this can happen even with images and any external data.


Verify that any include files, CSS etc that you do not have a reference to http instead of https

I'm trying to make sure of this. I have made all the urls I could find relative. I verified with wireshark that there are no plain http requests being sent, and it seems everything is under TLS.

All three network protocol analysers I tried show https is the only protocol being used.... I can't imagine all three tests being done incorrectly.


Could it be possible that some of the items are being fetched over 128bit SSL while the page itself is 256bit SSL?


After 3 hours of debugging it turns out the problem is with this line:

document.write("<script type='text/javascript' id=__ie_onload defer src=javascript:void(0)><\/script>");

This is run only for IE, and is the emulation for the window.domReady event so popular in Ajax Libs.

Apparently src=javascript:void(0) triggers insecure content for IE6,7,8.

When I change it to src='#' it works ok in IE6,7 but errors in IE8.

Any ideas on what could be used as a replacement, without incurring an extra HTTP request.


These trigger insecure notice:


Throws error:


If interested here is the full code for reference: http://closure-compiler.appspot.com/code/jscbfa82c39e2e310e33f1786fb9a83f9ee/default.js

Edited by digital-ether: n/a


Have you tried single quotes around id and src ?

I just did, and it still showed the message.

I tried linking to an empty javascript file and it works. However, I'd like to eliminate the extra http request for that file, especially since it is over HTTPS. Till then it works though.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.