Download and Buy Now Link

Fixing the IE 8 warning – ‘Do you want to view only the webpage content that was delivered securely?’

April 23, 2009

In a previous blog post, we talked about the problem of using HTTP based resources, such as images, on a secure HTTPS page. Internet Explorer interrupts the download and displays a confirmation dialog whenever it detects the use of mixed content on a secure page.

In IE 7 and ealier, this dialog would cause annoyance to users but generally didn’t cause any other significant problems. This was because it was worded in such a way that most users would click on the Yes button and allow non-secure content to be downloaded.

However, the wording in the IE 8 version of this dialog has changed:

IE8 Security Warning

To download the content a user would now have to click on the No button. As we know, most people using the web only scan text and avoid reading it if at all possible! They will usually go for the Yes button if there is not an OK button.

Some sites are going to find that their secure pages in IE 8 have the following problems:

  • Any non-secure HTTP image beacons used for analytics data gathering will often be ignored
  • The page may not display or even work correctly if it relies on non-secure images, CSS or Javascript

Therefore, avoiding mixed content on HTTPS pages is even more important now that IE 8 has been released. It often becomes an issue when using third party services such as analytics or Content Delivery Networks (CDN). For example, we avoided the use of Google hosted Ajax libraries on our site until Google added HTTPS support.

As mention in the previous blog post, an IE user you can disable this warning by:

  1. Going  to Tools->Internet Options->Security
  2. Select the Security tab
  3. Click on the Internet zone icon at the top of the tab page
  4. Click the Custom Level button
  5. In the Miscellaneous section change Display mixed content to Enable
  6. Repeat steps 1 – 5 for the Local intranet and Trusted sites zones

However, if you are developing a web site you can’t expect your visitors to do this. It is better to fix the cause of the problem so that the warning is not displayed by default in IE 8. The only way to do this warning is to ensure that your HTTPS pages only access embedded resources using the HTTPS protocol. You can do this by following these steps:

  1. Use a sniffer like HttpWatch that supports HTTPS and shows files being read from the browser cache. The free Basic Edition is sufficient for this because you only need to see the URLs being accessed.
  2. Access the page causing the problem and click No when you see the security warning dialog.
  3. Any HTTP resources shown  in the HttpWatch window are the source of the problem; even if they loaded directly from the browser cache and didn’t cause a network round trip:Mixed Content in HttpWatch
  4. If you don’t initially see any HTTP based resources, try refreshing the page because a non-secure image may have been retrieved from the IE or Firefox image cache

EDIT #1: If you are a web developer trying to track down why your page causes this warning please also take a look  at http://blog.httpwatch.com/2009/09/17/even-more-problems-with-the-ie-8-mixed-content-warning/ where we cover some javascript snippets that can also trigger this warning. The comments section of both of these posts also contain useful information where people have found and solved related issues.

EDIT #2: Updated instructions to apply the change to all network zones

264 Comments

  • i have a problem that Due to the implementation of HTTPS over the entire site Google maps gives a warning of unsecured content. If anyone have solutions please send to my email

  • This issue is also caused by viewing websites in compatability view. I have a website I know 100% all items are secured over https but still I was prompted that it was mixed content. I want to be prompted when there is mixed content on a page so I didn’t switch this off in IE8. As soon as I switched off compatability mode, I was no longer prompted :)

  • Hey, thanks for the solution. Stupid pop up box was annoying. Life is short, saving some time. Problem solved. Thanks again.

  • Personally I think it’s a great idea that MS has incorporated this feature into IE. It may be annoying but it sure is foolish to turn it off. As a developer I am having to deal with this issue for a login page to a secure payment site. Would you as a user really want to go to a login site that has a JS file embedded in it from HTTP site? I wouldn’t, and if you turn off this feature in IE then you will never even know that some one just grabbed your credentials. Ignorance is bliss so they say :)

  • redir,

    It’s certainly a good idea for developers to be aware of the issue, but what about the hundreds of millions of ordinary users of IE?

    It’s just going to annoy them as they try to work out whether to click Yes or No. If you are going to force a response over an issue like this why not also highlight any attempt to submit a password field over a HTTP connection? That’s far more signficant but is ignored by IE.

  • Thanks, the solution for me was the HTML for embedding a Flash file that had a http:// link to download it Flash.

  • @john, the code base guy.

    Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you.

  • For WEB DEVELOPERS:

    HTTP (instead of HTTPS) in the CODEBASE tag for Flash is not the only cause of this issue. In fact, referencing ANY non-SSL file or location will prompt this error.

    Keep in mind that even if you reference an external .js file (such as for Google Custom Search or other Google services), the external .js file may contain code that references non-SSL resources. This is precisely what was happening in my case: Google Custom Search’s external .js file ( https://www.google.com/uds/api/ads/2.0/71b547d3958f7b56072a3e9c6964a9ee/search.I.js ) was referencing the Google logo over HTTP ( http://www.google.com/coop/intl/en/images/google_custom_search_watermark.gif ).

    To find the cause of the problem, install the Basic version of http://httpwatch.com (as the original article states) and right-click the page in IE, choosing “HttpWatch Basic”.

    Clear IE’s history (Tools -> Internet Options -> General tab -> Browsing history -> Delete… -> Check Temporary Internet files -> Click “Delete” button); this prevents cached objects that you may already have addressed from causing the error.

    Then, hit the red “Record” button in HttpWatch before refreshing the troublesome page. Wait until IE throws the error dialog, and take note the last file that loaded in HttpWatch’s topmost pane before the warning. After pausing for 10+ seconds, click the “No” button in IE’s warning dialog. If you waited long enough before clicking “No”, HttpWatch should have put somewhat of a “gap” between the last file that was loaded over SSL, and the file that’s causing the problem (because the logged entries are separated when there’s a sufficiently long pause between the requests).

    Even though I’ve determined the issue to be with Google’s AJAX-driven Custom Search files, I have not yet found a solution. I’ll post back if I do…

  • This error is the bane of my existence. I hate IE! 99.99% there is no security threat and all you have to do is change the image/file source from http to https; that does not really make it more “secure”.

    At least it would be helpful for the dialog box to point out what’s causing the error.

    AAARRGH!!!!

  • Cheers, this has been a helpful article! Couldn’t get rid
    of that security warning, was very irritating!!

  • Good thread fixed my headache. Maybe Microsoft / MSN should
    get its act together as that is the reason i came across this
    thread to destroy that annoying popup everytime i went to check my
    Hotmail :P

  • God Thank You so much this was driving me nuts, pretty much
    every page besides google was bringing up that popup… drove me to
    d/l Firefox and Chrome just to avoid it… lol ty again

  • Of course one could start to use a decent browser…
    Chrome, Firefox, Safari, Opera and ditch IE

  • I don’t know if part of my problem is that I’m still using Windows XP Home, but this problem has more recently extended to Yahoo Mail’s sign in page! I’m fairly certain that the security of their entire webpage is too liable to be threatened by allowing the “unsecure” content to download!! By following the directions near the top of this page did indeed fix this issue. Of course, that still leaves the problem that many less tech minded individuals (my wife is included amongst them) won’t have the patience to try and fix the problem. Instead, there should be a “never display message” again checkbox on the alert itself. That would be a much more practical solution!

  • Well, i changed these settings in Internet Zone & the Trusted Sites Zone. Even though i was facing issue in Trusted zone, i had to change it in both of them to take effect.
    Interestingly though, i never saw these pop-ups before installing DivX on my system. Probably it triggers some security check mechanism that is not known.

  • Pingback: gonnalearn.com

  • Pingback: Merlin Fix

  • I still can’t to where I need to go even after enabling the mixed content option. So frustrating. Any words of wisdom?

  • The “enable” mixed content fix DID NOT work for me. Check under Tools-> Manage Add-ons-> Toolbars and Extensions. I would disable any toolbar that is listed “Not Verified”. The one that got in my browser is “Superfish – Window Shopper”. I’ve reported it to Microsoft, probably malicious.

  • Sorry! But I didnt understand anything.When this message pops up in IE8 then what to press YES/NO?If I dont want to compromise with my security,then should i press YES?

  • Oh! I Love You!!!

    Seriously. I’ve been dealing with this obnoxious mixed content thing for ages and ages…

  • I find it interesting that a lot of people have this problem with their home computers… when a simple fix is to install a better browser. I have never had a similar problem with Opera, Firefox, or Chrome! I can understand if you’re in a corporate environment though, as I am the only times I use IE8… and they dont want anything better installed. Bah, knuckleheads.

    Anyone know if IE9 has the same problem? It actually looks to be a pretty decent browser (the last decent one MS has done was IE4 imo) It’s still not quite to my own tastes (variety is wonderful!) but that’s just me :)

  • This was Pretty helpful in getting rid of this annoying pop up!

    Thanks for such resourceful Stuff!!!
    Nitin Singh

  • Thanks. The pop up from microsoft was annoying. But overall security has improved and i havent had a virus attack for a long time. So microsoft deserves some credit too. But the pop up at frequently used sites like gmail was a pain and i changed it by enabling the miscellaneous content as described here.

  • Thanks this was driving m crazy … it was always on a site i use all the time for my bussness.