Handling Mixed (HTTPS/HTTPS) Content

re: Handling Mixed (HTTPS/HTTPS) Content

EricLaw [ex-MSFT] — Wed, 10 Apr 2013 21:20:35 GMT

Here's a nice post from the Mozilla team on blocking Mixed Content in Firefox 23+: blog.mozilla.org/.../mixed-content-blocking-enabled-in-firefox-23

re: Handling Mixed (HTTPS/HTTPS) Content

Cyril N — Thu, 11 Oct 2012 20:06:56 GMT

Hi Eric,

I read all the posting with interest, but this error message in IE9 still doesn't make any sense to me:

"SEC7111: HTTPS security is compromised by https://hostname/saas/spring/img/kyn/KYN_TopLeft.png "

It's not an 'about ' issue as stated previously. There is no mixed content here since we are calling a secure URL from a secure location. What am I missing?

Here is the html: <img width="95%" height="59" src="/saas/spring/img/kyn/KYN_TopLeft.png" border="0"/>.

Why does IE9 believe the URL is unsecured?

re: Handling Mixed (HTTPS/HTTPS) Content

Larry L — Fri, 05 Oct 2012 13:24:16 GMT

I can't get rid of that annoying, every few seconds, every few clicks pop up about only secure content being displayed, what's the risk?, and show all content. I click "X", it goes away, then comes back. I am NOT a technical person, and simply want to know (1) How do I hide/suppress this constant pop up, and (2) If I do get rid of the pop up visually, will it compromise any security concerns? So please, in as non-technical terms as possible for this old fellow, help me know how to get rid of it, and whether it will compromise security if I do. Thanks.

[EricLaw] You should upgrade to Internet Explorer 9.

re: Handling Mixed (HTTPS/HTTPS) Content

Pete — Fri, 01 Jun 2012 14:15:20 GMT

Hi Eric, lots of fantastic information on this page. I'm currently struggling with an AJAX application which is intermittently generating mixed content warnings on IE 8. The vendor for the application is stating that they will not fix the problems since they would like all clients to move to IE 9 or some other modern browser, but unfortunately our industry is rather conservative so that isn't really a good answer for us.

I've debugged the vendor's JavaScript (thanks to Fiddler's autoresponder feature) and fixed quite a few places where the code manipulates the DOM causing the mixed content warning to appear. In no situation are we actually issueing HTTP requests - the warning is generally caused by issues such as removing DIVs with background image tags (which I believe is a known IE 8 issue).

Sadly, I'm still seeing issues so was looking for advice as to how I can find out which piece of JavaScript is causing the problem. I've tried installing the Scriptfree addin, but it's not telling me anything - would I expect Scriptfree to pop up a window whenever the mixed content warning appears? Or does it indicate the URL in some other way? Is there perhaps some other mechanism for debugging and intercepting the line of JavaScript that's causing the error? Would I be able to make sense of anything if I used Visual Studio to debug IE itself?

Sorry I can't point you to an example site with the problem - as I say, it's a third party application (which I'd rather not name :)) and is running on servers within our corporate LAN.

Thanks!

re: Handling Mixed (HTTPS/HTTPS) Content

Suhas — Thu, 03 May 2012 05:45:48 GMT

My protocol handler implements QueryInfo method of IInternetProtocolInfo and responds TRUE for QUERY_IS_SECURE option. This is causing mixed mode warning. Thanks Eric. You were spot on!

re: Handling Mixed (HTTPS/HTTPS) Content

EricLaw [MSFT] — Wed, 02 May 2012 14:25:24 GMT

@Suhas: Very interesting. Please provide more details about your protocol (email me). For instance, does it respond True to the QueryIsSecure in IInternetProtocolInfo?

re: Handling Mixed (HTTPS/HTTPS) Content

Suhas — Wed, 02 May 2012 13:11:27 GMT

Hi Eric,

We have some html pages delivered using a custom protocol.

When these pages contain <IMG> tag with image source as http url, IE is showing Mixed mode warning.

I'm not able to figure what is delivered using HTTPS here! I feel there a bug in IE which flags content delivered using custom protocol as HTTPS. Can you comment on this?

re: Handling Mixed (HTTPS/HTTPS) Content

Nagaraj — Tue, 24 Jan 2012 05:15:05 GMT

@Eric: There is no http reference in fiddler logs. We are getting 200 as http response for all request for this page. All request and response are through https only. Further the site throws no warning message when we work over http. The only suspect is about reference, about:blank. we zeroed in to this place after trying all options

re: Handling Mixed (HTTPS/HTTPS) Content

EricLaw [MSFT] — Sun, 22 Jan 2012 15:40:40 GMT

@Nagaraj: Why are you convinced that the frame is the problem?

re: Handling Mixed (HTTPS/HTTPS) Content

Nagaraj — Sun, 22 Jan 2012 15:05:45 GMT

I am facing this Mixed content warning in a web page generated by a third party ERP system. The generated html has a iframe with its source attribute src=about:blank. We tried assigned a https url to the iframe src with javascript on page load. Also tried removing src attribute. But even before our javascript code gets executed the Warning message appears. We dont have control over the page generation logic of the ERP system.Considerable number of our customers client machines are still IE 6.

Please advise on suppressing this warning. It would be better to find a fix in javascript. we will not be able to set the Security settings for the whole corporate environment because of this site alone. At the same time, we are not sure when the ERP system can provide the fix.

Thanks in advance