Fixing the ‘Do you want to display nonsecure items’ message

calendarApril 30, 2008 in Caching , HTTP , HTTPS , HttpWatch , Internet Explorer

Have you ever been to a web site and seen this?

Non secure items warning in IE

This warning is triggered in IE if it is displaying a secure HTTPS page that has caused a non-secure (i.e. HTTP based) resource to be downloaded. The message box doesn’t allow the user to control whether the non-secure content should be downloaded, only whether it should be displayed.

This seems rather pointless as the damage may already have been done if the non-secure content was a picture of your passport, bank statement or credit card! However, this is the default setting in IE so it is best to avoid this warning being generated on your web site.

This setting can be changed in IE by:

  1. Going  to Tools->Internet Options->Security
  2. Select the Security tab
  3. Click on the Internet zone icon at the top of the tab page
  4. Click the Custom Level button
  5. In the Miscellaneous section change Display mixed content to Enable
  6. Repeat steps 1 – 5 for the Local intranet and Trusted sites zones

Recently, we saw this warning in the shopping cart of an  computer store,  so we fired up HttpWatch to see what was causing the problem. A quick search for a URL starting with ‘http:’ should have located the request causing the problem:

HttpWatch trace for nonsecure items message at Ebuyer

No HTTP requests were recorded for this page in HttpWatch. So what was causing the ‘Do you want to display nonsecure items’ message?

It turns out that IE warns about HTTP based content even if it was read from the browser cache or the IE image cache. Requests from the browser cache are shown as (Cache) in HttpWatch, but as we previously described access to the IE image cache is not recorded.

The resource causing the warning on this page must have been read from the image cache. We confirmed this by refreshing the page in IE and performing another search:

Image causing nonsecure items warning

The refresh forced IE to download all the embedded resources on the page and it became clear that it was the Google Checkout image that was causing the problem. Changing this image’s URL to use HTTPS would prevent the warning from appearing.

6 thoughts on “Fixing the ‘Do you want to display nonsecure items’ message

  1. Hi

    I found that the problem was setting relative paths for CSS images from javascript – see http://www.weeklywhinge.com/?p=82 for info

    Cheers!

  2. Mike Sharp says:

    Thank you. That error was driving me nuts!

  3. Ashish says:

    Thanks a lot … I was really getting annoyed by this …
    your solution helped …

  4. Dm says:

    This secure message happens because src=”” in my empty tag in my case.

    Dm

  5. This is not working for me in IE8/Windows XP. Despite the fact that I have http://www.google.com set as my home page, what I am getting is https://www.google.com, and every attempt to type in a search string generates the prompt. I have put both versions of the Google URL in my Trusted Sites and enabled mixed content, and that didn’t help, so in desperation I enabled mixed content for the Internet zone, and that still didn’t help. This behavior has started within the past few weeks. I believe it doesn’t happen in IE9/Windows 7. The popup doesn’t appear till I’ve started typing a search string, and then sometimes it takes two clicks on Yes or No (which I click haphazardly, as I really don’t care), and by that time Google has started autocompleting the first few letters I typed with (of course) irrelevant results. It’s driving me crazy!

Got Something to Say?

Your email address will not be published.

Ready to get started? TRY FOR FREE Buy Now