Fixing the ‘Do you want to display nonsecure items’ message

April 30, 2008

Have you ever been to a web site and seen this?

Non secure items warning in IE

This warning is triggered in IE if it is displaying a secure HTTPS page that has caused a non-secure (i.e. HTTP based) resource to be downloaded. The message box doesn’t allow the user to control whether the non-secure content should be downloaded, only whether it should be displayed. 

This seems rather pointless as the damage may already have been done if the non-secure content was a picture of your passport, bank statement or credit card! However, this is the default setting in IE so it is best to avoid this warning being generated on your web site.

This setting can be changed in IE by:

  1. In IE go to Tools->Internet Options->Security
  2. Select the ‘Security’ tab
  3. Click the ‘Custom Level’ button
  4. In the ’Miscellaneous’ section change “Display mixed content” to Enable

Recently, we saw this warning in the shopping cart of an  computer store,  so we fired up HttpWatch to see what was causing the problem. A quick search for a URL starting with ‘http:’ should have located the request causing the problem:

HttpWatch trace for nonsecure items message at Ebuyer

No HTTP requests were recorded for this page in HttpWatch. So what was causing the ‘Do you want to display nonsecure items’ message?

It turns out that IE warns about HTTP based content even if it was read from the browser cache or the IE image cache. Requests from the browser cache are shown as (Cache) in HttpWatch, but as we previously described access to the IE image cache is not recorded.

The resource causing the warning on this page must have been read from the image cache. We confirmed this by refreshing the page in IE and performing another search:

Image causing nonsecure items warning

The refresh forced IE to download all the embedded resources on the page and it became clear that it was the Google Checkout image that was causing the problem. Changing this image’s URL to use HTTPS would prevent the warning from appearing.

Posted in Caching, HTTP, HTTPS, HttpWatch, Internet Explorer | Tagged , , , , | Comments (0)

What are people saying about HttpWatch?

April 23, 2008

Here’s a summary of some recent blog posts that have mentioned HttpWatch:

“My team has been using HttpWatch for a few months now to analyze the client side performance of SkyDrive.  Previously, I had relied on some internal tools we use that are based on NetMon, as well as Fiddler and Firebug with the YSlow plugin.  While these tools were pretty good, here’s why I think HttpWatch beats them all”

from HttpWatch - My favorite web performance tool,

“Inspecting the payload your server is issuing out can be quite tricky, luckily for the likes of you and I the boffin’s at Microsoft created Fiddler and Simtec created HttpWatch (which I use every single day - probably the best developer tool I’ve got in my arsenal, it’s also coincidentally the tool you’ll see screen shots from throughout this article)”

from Pimp my ASP.NET web application - Part One

“Wow, I thought I was good at learning about new tools, but I never heard about HttpWatch It works much in the same way as Firebug, as a add-in to Internet Explorer. It looks really really cool, and some of the features are even better than Firebug. I like how it even gives you insight into the TCP level of your browsing sessions, such as how much time a DNS lookup takes”

from Httpwatch: Commercial alternative to Firebug for Internet Explorer

“While modifying a website which uses AJAX, we are converting from a rather non-standard implementation of AJAX calls to one that is a lot more standard.  But, we’re still concerned about the number of the objects being downloaded, the size of each object, the time each object takes to download, the number of round-trips, etc. We wanted a way to easily visualize what’s happening. HttpWatch provides a way”

from A New Tool in My Tester’s Tool Box - HttpWatch

HttpWatch is a great add-on tool to Internet Explorer that captures your IE HTTP traffic. The best part for me is that it can be driven programaticly from my Watir Tests.

from Using HttpWatch with Watir

Posted in HttpWatch | Comments (0)

The Performance Benefits of Ajax

April 18, 2008

Web 2.0 is a term often used to describe next generation web sites that have moved beyond the simple page request->process->response cycle and are utilizing services on the web server to return data that can be rendered without making page transitions. The result is often a more responsive user interface that closely mimics a desktop application.

The technology to make HTTP calls from JavaScript embedded in an HTML page was first introduced for general use by Microsoft in IE5 in order to support Outlook Web Access way back in 1999. However, the XmlHttpRequest object was not widely used until it was adopted by Mozilla in 2002. In 2005 the programming model was given the name Ajax which has now been widely recognised and stands for Asynchronous JavaScript + XML.

From a performance perspective Ajax has two main benefits:

  1. It can reduce the number of round trips by minimizing the number of page transitions in a web application
  2. It can reduce the size of uploaded and downloaded data because it allows the web programmer to control exactly what is transferred. For example, if a user performs a search the data can be returned in a compact data format (e.g. JSON ) rather than HTML.

In order to illustrate how Ajax can increase the speed and usability of a site let’s first look at a traditional web site and then compare it to an Ajax example.

This is what happens on Expedia.com when we try to book a flight but we specify a partial or mispelled city code. In this case we typed in “LOND” instead of “LON” or “London”. We expectantly press the submit button hoping for a list of possible flights, but instead we’re directed to an error page:

Expedia Error Page

Using HttpWatch we can see that Expedia took 4.4 seconds, 30 round trips and 156K of data (of which 41K was uploaded)  to display the error page:

Expedia Error Page Summary

Even if there are no further mistakes we will still have to make further page transitions before we get the results we’re expecting.

Let’s look at a similar example on BA.COM where Ajax has been used:

BA Cities List

Here we did exactly the same thing - typed “LOND” instead of London. Instead of having to press submit, fetch a new choices page (with all linked page components) and drag the user through an additional form, the page used background processing to query the server and display a list of possible choices.

The beauty of this approach is that is that it didn’t require any user interaction, is very fast and it didn’t leave the search page. Here’s the Ajax request in HttpWatch:

BA Ajax Request

BA.COM uses the DWR framework for Ajax to request the possible airports. The framework returns a JavaScript list used to render the content into the dropdown list control. The single HTTP call required is much smaller and faster than the Expedia model where the whole page must be fetched and rendered.

Due to the inconsistencies between the programmable object models on different browsers, most developers now choose a framework to ease JavaScript development and most provide Ajax helper functions that wrap XmlHttpRequest. Java’s DWR has RPC style support. ASP.Net’s Ajax library, Dojo, Yahoo’s YUI and Google’s GWT support a whole suite of UI and control extensions as well as offering some kind of Ajax support. Similarly, Prototype and jQuery are two extremely lightweight and popular JavaScript libraries.

Let’s say you wanted to populate a list box with city codes based on the country a user selects. In Web 1.0 you would have to submit a form making a round-trip to the server with your choice of country so that the server could render the appropriate list of choices on the resulting HTML page.

With Ajax, this can all be done in the background. A lot of services use the XML data format, but there’s no restriction on the content type that XmlHttpRequest can send or receive. It could be HTML, JSON or any other format that the page’s JavaScript can parse.  Here’s an example of using the jQuery library to populate a list control from an Ajax request:

<script type="text/javascript" src="jQuery.js“></script>
...
<h2>Products</h2>
<div id="products“>(fetching product list …)</div>
<script>

new Ajax.Updater(’products’, ‘/productListHTML.aspx’, { method: ‘get’ });

</script>

The products <div> is initially empty, but the Ajax class Updater method wraps XmlHttpRequest and fetches some HTML from the server and uses it to populate the <div>.

One of the drawbacks people found with using Ajax was that they ended up breaking the back button. Clicking the Back button in some Ajax applications did not go to the previous logical operation. For example, if you were viewing the results of a search you would expect Back to take you to the search page so that you could modify the search criteria. Instead, the user would be taken to whatever happened to be the previous page in the browser’s history list.  In some cases, they may even have been the previous web site that the user had visited.

More recently though, browsers have exposed object models to help Ajax applications manipulate the browser history artificially so that they can correct the flow of operations as the user uses the forward and back buttons.

Posted in HTTP, HttpWatch, Javascript, Optimization | Tagged , , , | Comments (0)

Blocked time and IE 8

March 31, 2008

A common question we hear from our customers is “What is the Blocked time in HttpWatch and why are we seeing some much of it?”

The Blocked time in HttpWatch is shown as a gray block at the start of a request:

Blocked Time

We measure this time by looking at the time interval between these two events:

  1. The point at which IE determines that it requires the resource at a certain URL. For example, it may have downloaded some HTML and encountered an <img> tag that refers to a GIF file.
  2. At some later time IE peforms a network action required to download or validate a cached copy of the resource.

During this time interval, IE will check the cache to see if the resource is stored locally, determine what headers and cookies would have to be sent in a GET request to the server, and if necessary, wait for an existing connection to become available.

Although, IE is multi-threaded and could start downloading many resources in parallel it is subject to a connection limit per host name. The HTTP 1.1 specification (RFC2616) recommends that HTTP clients should have no more than two connections active per host name. Therefore, a web page that has all its embedded images, CSS and javascript files on the same hostname (e.g. www.example.com) will only be able to use a maximum of two connections to download content.

Here’s a screenshot from HttpWatch that shows what happens when you force a refresh (Ctrl+F5) of our home page using IE 7:

Two connections per host in IE 7

At any one time, only two HTTP requests are actively downloading content. The rest are in the blocked state waiting for their turn to use one of the two connections to the web server. The two yellow segments in the first two requests indicate that two TCP connections were made to the server (a yellow segment in an HttpWatch time chart indicates the TCP connect time).

For many web pages this has a major performance impact and is a strong motivator for reducing the number of round trips whenever possible.

Microsoft has just released IE 8 Beta 1. One of the most significant changes compared to IE 7 is that the maximum number of connections per host name has been changed. If you are on a fast, broadband connection it now uses a maximum of six rather than two connections per host name.

BTW, if you are going to use HttpWatch with IE 8 Beta 1 please make sure that you download and install version 5.3.

This screen shots shows the six connections being made with IE 8 and the increased concurrency during download:

Six connections per host in IE 8

The increase in the number of connections leads to a major reduction in blocked time. We found that the load time for our home page, with an empty cache, is on average 50% less in IE 8 Beta 1 compared to IE 7.

Steve Souders, author of ‘High Performance Web Sites’, has written a blog post entitled ‘Roundup on Parallel Connections’ that discusses the connection limits of other browsers and the possible effect on existing web servers.

Posted in HTTP, HttpWatch, Internet Explorer, Optimization | Tagged , , , , | Comments (0)

Printing and IE 8 Support in HttpWatch Version 5.3

March 13, 2008

softwareboxsmall.pngVersion 5.3 includes printing, print preview, support for IE 8 Beta 1 and several other fixes. The version history contains a detailed list of the changes.

Posted in HttpWatch, Internet Explorer | Tagged , | Comments (0)

Image Caching in Internet Explorer

February 27, 2008

If you build, maintain or tune web sites you’ll know about the browser cache and how to control caching using HTTP response headers. We’ve talked about caching in several previous posts.

However, you may not be aware that IE uses two caches for holding images. First, there is the regular browser cache that keeps a copy of downloaded image files in your Temporary Internet Files folder. It’s this cache that can be controlled by HTTP response headers such as Cache-Control and Expires.

There is also an image cache that IE uses to hold recently used images in memory. The main difference between the image cache and the browser cache is:

  • The image cache is never written to disk and is always emptied when IE closes
  • The image cache contains an expanded, Windows bitmap version of  GIF, JPG or PNG files
  • HttpWatch does not record access to the image cache, unlike the 304 and (Cache) responses that you’ll see when IE reads content from the browser cache

The point of the image cache is that it can be used to quickly render images without taking the CPU hit required to convert them from their native compressed format into a Windows bitmap.

The only documentation about the image cache is the ”Image Cache Limits” section of the registry settings for IE on Windows CE:

http://msdn2.microsoft.com/en-us/library/aa908131.aspx

Here’s the relevant section:

Image Caching in Windows CE

Although, these settings don’t work with IE 6 or 7 they do show that the image cache has limits on the size of images, the number of images cached and the maximum amount of memory that can be used. Limits like this have to be set because the expanded images can take up to 500% more memory than the original PNG, GIF or JPG format.

Let’s see the effect of the image cache by starting a new instance of IE and visting www.httpwatch.com:

Images loaded from browser cache

The (Cache) responses shown in HttpWatch indicate that the images on our home page were read from the browser cache.  The image cache would have been empty at this point because IE had just started.

If you click on the Download tab and then click back on the Home page tab you’ll see that only two images are shown in the resulting HttpWatch trace:

Image Caching on HttpWatch home page

Clearly, all the images for the home page must have been loaded from somewhere because the page was correctly rendered, but only two images requests from the browser cache are seen in HttpWatch. This is because the other images were read from the image cache.

Why were two of the PNG files still read from the browser cache? These two images are the largest image files on the page and they would expand to approximately 500 KB and 300 KB if they were both placed in the image cache. They probably breached the maximum image size limit in the IE 7 image cache and were therefore not stored in their expanded form.

It’s also possible to see that the image cache has a limit on the number of images it stores. Try visiting ebay.com and then yahoo.com in the same browser window to load up the image cache. If you then go back to www.httpwatch.com you’ll see that all the images have been flushed out of the image cache and had to be reloaded from the browser cache.

So, to make effective use of the image cache in IE you should:

  1. Minimize the number of images that your site uses
  2. Avoid single images that might expand to more than approx 200 KB

Of course, you should always try to minimize the number of images to reduce the network round-trips when a browser first loads a page. A popular technique for doing this is to use CSS sprites to merge several images together and there are some great tools to help you create the compound image.

Be careful though, that you don’t run into item 2) by creating a single large image that is not loaded into the image cache. You would get the benefit of less round trips on an initial visit, but the rendering in IE might actually be slower because the image would have to expanded from the browser cache whenever it was re-displayed.

Posted in Caching, HttpWatch, Internet Explorer, Optimization | Comments (0)