IE6 "non-secure items notice" when using SSL

Question

digital-ether 399 Nearly a Posting Virtuoso

14 Years Ago

I have a page that is under SSL.

However, in IE6, I get a notification:

"This page contains both secure and non-secure items" etc.

I've looked at all the HTTP requests for that page in both Firebug and Wireshark, and none of it seems to be sent over plain HTTP, all the resources are being fetched over SSL/TLS. However, IE6 still gives the non-sure items notification.

I've also tried fiddler and charles proxies, and they also show all requests being made to SSL port 443.
Even firebug shows that all the requests seem to be made through HTTPS.

Has anyone come across something similar and know what is triggering IE's non-secure items message?

php

4 Contributors
10 Replies
201 Views
10 Hours Discussion Span
Latest Post 14 Years Ago Latest Post by digital-ether

drjohn 56 Posting Pro in Training

14 Years Ago

IE6 currently has about 10% of the market in browsers, so you may not need to worry about this for very long.

jstrain@gpc.edu 0 Newbie Poster

14 Years Ago

Verify that any include files, CSS etc that you do not have a reference to http instead of https

liamfriel 4 Junior Poster

14 Years Ago

I had this error from referring to http files inside a https location. Apparently this can happen even with images and any external data.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

digital-ether 399 Nearly a Posting Virtuoso Team Colleague · Answer 1 · 2010-03-09T22:31:01+00:00

IE6 currently has about 10% of the market in browsers, so you may not need to worry about this for very long.

I know, but right now I do have to worry. :)

digital-ether 399 Nearly a Posting Virtuoso Team Colleague · Answer 2 · 2010-03-09T22:51:51+00:00

Verify that any include files, CSS etc that you do not have a reference to http instead of https

I'm trying to make sure of this. I have made all the urls I could find relative. I verified with wireshark that there are no plain http requests being sent, and it seems everything is under TLS.

All three network protocol analysers I tried show https is the only protocol being used.... I can't imagine all three tests being done incorrectly.

digital-ether 399 Nearly a Posting Virtuoso Team Colleague · Answer 3 · 2010-03-09T22:57:21+00:00

Could it be possible that some of the items are being fetched over 128bit SSL while the page itself is 256bit SSL?

jstrain@gpc.edu 0 Newbie Poster · Answer 4 · 2010-03-09T23:17:26+00:00

jstrain@gpc.edu 0 Newbie Poster

14 Years Ago

Can you try testing on another computer?

digital-ether 399 Nearly a Posting Virtuoso Team Colleague · Answer 5 · 2010-03-10T01:10:43+00:00

After 3 hours of debugging it turns out the problem is with this line:

document.write("<script type='text/javascript' id=__ie_onload defer src=javascript:void(0)><\/script>");

This is run only for IE, and is the emulation for the window.domReady event so popular in Ajax Libs.

Apparently src=javascript:void(0) triggers insecure content for IE6,7,8.

When I change it to src='#' it works ok in IE6,7 but errors in IE8.

Any ideas on what could be used as a replacement, without incurring an extra HTTP request.

Note:

These trigger insecure notice:

about:blank
javascript:;

Throws error:

#
''

If interested here is the full code for reference: http://closure-compiler.appspot.com/code/jscbfa82c39e2e310e33f1786fb9a83f9ee/default.js

jstrain@gpc.edu 0 Newbie Poster · Answer 6 · 2010-03-10T01:25:14+00:00

Have you tried single quotes around id and src ?

digital-ether 399 Nearly a Posting Virtuoso Team Colleague · Answer 7 · 2010-03-10T01:52:42+00:00

Have you tried single quotes around id and src ?

I just did, and it still showed the message.

I tried linking to an empty javascript file and it works. However, I'd like to eliminate the extra http request for that file, especially since it is over HTTPS. Till then it works though.