Member Avatar for digital-ether

I have a page that is under SSL.

However, in IE6, I get a notification:

"This page contains both secure and non-secure items" etc.

I've looked at all the HTTP requests for that page in both Firebug and Wireshark, and none of it seems to be sent over plain HTTP, all the resources are being fetched over SSL/TLS. However, IE6 still gives the non-sure items notification.

I've also tried fiddler and charles proxies, and they also show all requests being made to SSL port 443.
Even firebug shows that all the requests seem to be made through HTTPS.

Has anyone come across something similar and know what is triggering IE's non-secure items message?

  • 4 Contributors
  • 10 Replies
  • 197 Views
  • 10 Hours Discussion Span
  • Latest Post Latest Post by digital-ether

Recommended Answers

All 10 Replies

Member Avatar for drjohn

IE6 currently has about 10% of the market in browsers, so you may not need to worry about this for very long.

Member Avatar for jstrain@gpc.edu

Verify that any include files, CSS etc that you do not have a reference to http instead of https

Member Avatar for digital-ether

IE6 currently has about 10% of the market in browsers, so you may not need to worry about this for very long.

I know, but right now I do have to worry. :)

Member Avatar for liamfriel

I had this error from referring to http files inside a https location. Apparently this can happen even with images and any external data.

Member Avatar for digital-ether

Verify that any include files, CSS etc that you do not have a reference to http instead of https

I'm trying to make sure of this. I have made all the urls I could find relative. I verified with wireshark that there are no plain http requests being sent, and it seems everything is under TLS.

All three network protocol analysers I tried show https is the only protocol being used.... I can't imagine all three tests being done incorrectly.

Member Avatar for digital-ether

Could it be possible that some of the items are being fetched over 128bit SSL while the page itself is 256bit SSL?

Member Avatar for jstrain@gpc.edu

Can you try testing on another computer?

Member Avatar for digital-ether

After 3 hours of debugging it turns out the problem is with this line:

document.write("<script type='text/javascript' id=__ie_onload defer src=javascript:void(0)><\/script>");

This is run only for IE, and is the emulation for the window.domReady event so popular in Ajax Libs.

Apparently src=javascript:void(0) triggers insecure content for IE6,7,8.

When I change it to src='#' it works ok in IE6,7 but errors in IE8.

Any ideas on what could be used as a replacement, without incurring an extra HTTP request.

Note:

These trigger insecure notice:

about:blank
javascript:;

Throws error:

#
''

If interested here is the full code for reference: http://closure-compiler.appspot.com/code/jscbfa82c39e2e310e33f1786fb9a83f9ee/default.js

Edited by digital-ether because: n/a
Member Avatar for jstrain@gpc.edu

Have you tried single quotes around id and src ?

Member Avatar for digital-ether

Have you tried single quotes around id and src ?

I just did, and it still showed the message.

I tried linking to an empty javascript file and it works. However, I'd like to eliminate the extra http request for that file, especially since it is over HTTPS. Till then it works though.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.