Download and Buy Now Link

Fixing the IE 8 warning – ‘Do you want to view only the webpage content that was delivered securely?’

April 23, 2009

In a previous blog post, we talked about the problem of using HTTP based resources, such as images, on a secure HTTPS page. Internet Explorer interrupts the download and displays a confirmation dialog whenever it detects the use of mixed content on a secure page.

In IE 7 and ealier, this dialog would cause annoyance to users but generally didn’t cause any other significant problems. This was because it was worded in such a way that most users would click on the Yes button and allow non-secure content to be downloaded.

However, the wording in the IE 8 version of this dialog has changed:

IE8 Security Warning

To download the content a user would now have to click on the No button. As we know, most people using the web only scan text and avoid reading it if at all possible! They will usually go for the Yes button if there is not an OK button.

Some sites are going to find that their secure pages in IE 8 have the following problems:

  • Any non-secure HTTP image beacons used for analytics data gathering will often be ignored
  • The page may not display or even work correctly if it relies on non-secure images, CSS or Javascript

Therefore, avoiding mixed content on HTTPS pages is even more important now that IE 8 has been released. It often becomes an issue when using third party services such as analytics or Content Delivery Networks (CDN). For example, we avoided the use of Google hosted Ajax libraries on our site until Google added HTTPS support.

As mention in the previous blog post, an IE user you can disable this warning by:

  1. Going  to Tools->Internet Options->Security
  2. Select the Security tab
  3. Click on the Internet zone icon at the top of the tab page
  4. Click the Custom Level button
  5. In the Miscellaneous section change Display mixed content to Enable
  6. Repeat steps 1 – 5 for the Local intranet and Trusted sites zones

However, if you are developing a web site you can’t expect your visitors to do this. It is better to fix the cause of the problem so that the warning is not displayed by default in IE 8. The only way to do this warning is to ensure that your HTTPS pages only access embedded resources using the HTTPS protocol. You can do this by following these steps:

  1. Use a sniffer like HttpWatch that supports HTTPS and shows files being read from the browser cache. The free Basic Edition is sufficient for this because you only need to see the URLs being accessed.
  2. Access the page causing the problem and click No when you see the security warning dialog.
  3. Any HTTP resources shown  in the HttpWatch window are the source of the problem; even if they loaded directly from the browser cache and didn’t cause a network round trip:Mixed Content in HttpWatch
  4. If you don’t initially see any HTTP based resources, try refreshing the page because a non-secure image may have been retrieved from the IE or Firefox image cache

EDIT #1: If you are a web developer trying to track down why your page causes this warning please also take a look  at http://blog.httpwatch.com/2009/09/17/even-more-problems-with-the-ie-8-mixed-content-warning/ where we cover some javascript snippets that can also trigger this warning. The comments section of both of these posts also contain useful information where people have found and solved related issues.

EDIT #2: Updated instructions to apply the change to all network zones

264 Comments

  • Thank you SO much for this info. This pop-up is more annoying than most ad-pops on sites.

  • I noticed when trying to use this method with a website setup in the “Trusted Site” Zone. If you change this setting for Trusted Sites, it doesn’t seem to take effect. For some reason the “Internet Zone” works for all Zones though!

    I’m using IE 8.0.6001.18702

  • I had this problem but little complex. The server is in intranet domain and it was referring to an internet site. So the warning message has gone only after setting Enable for ‘Display Mixed Content’ for both internet and intranet domains.

  • I get this error for websites in my trusted list, even though I have already set “enable mixed content” for this zone. How can I fix this?

  • It worked like a charm. I finally got fed up with this error message (security warning) and turned it off. If Chrome or Firefox don’t see the need to warn me about it, then who gives a crap. Rsbrux is right, if you add the site to the trusted list, you shouldn’t be warned about this.

    Thanks for the post :)

  • I go to Tools->Internet options etc etc. and change the Display Mixed Content to enable, but it makes no difference whatsoeve. The messages keep coming up. It forces me to use Google Chrome quite a bit. I really want to use ie8, but can’t tolerate that stupid warning coming up all the time. Any ideas?

  • Thanks for the instructions on how to disable the security warning. My google search switched to https:// today and every time I went to my homepage and when I opened others, I had to click No twice to even move forward. Now… it’s searching as usual. Thanks!

  • We noticed that as soon as we added the IFRAME, the customer would receive the following alert “Do you want to view only the webpages content that was delivered securely?”.

    This was because of the change in the security level of the pages. While CRM Live is hosted on a secure “HTTPS” protocol to provide more secure access to CRM, our custom pages uses “HTTP” protocol, so every time when CRM is accessed you get this prompt.

    To remove this follow the below steps.

    Go to Tools –> Internet Options –> Security Tab. Here select the proper zone under which your custom pages or the “HTTP” pages came.

    Now select “Custom Level” button.

    Here go to Miscellaneous –> display mixed content and select “Enable” option as shown in the below screen shot.

    With this done, you will not be prompted anymore.

  • None of the fixes worked permanently for me. But I found a great, easy solution. Dump IE And Install Firefox. Firefox is faster and less problematic, I love it.

  • I changed the http to https as instructed and downloaded the basic version of HttpWatch to track the URL’s. I noticed http://pagead2.googlesyndication.com… is listed in the HttpWatch even though the code, when I viewed the source code, has the “s” in https. I don’t understand this phenomenon.

  • Thank you so much for the instructions Atul! Worked perfectly! I was going crazy having to hit no a hundred times for my school web site.

  • Thanks so much for the info on avoiding that annoying prompt! It still amazes me that a fix to so many things in life can be found by asking my computer…

  • Thanks, a bunch! This error message was driving me crazy and I was unable to locate the root source until I read your post. :)

  • This did not fix my problem – i still get the message.
    I am running IE8 and I refuse to use Google Crome because of performance issues.
    Please help.

  • Does anyone have a solution to the problem posted by Modeboy on August 18, 2011 at 10:56 pm?
    If I enable the mixed content in trusted sites zone, but it’s set to Prompt in the nternet zone, IE 8 will prompt you anyway even though the status bar shows “Trusted sites | Protected Mode: Off”. I have to change the setting in the Internet zone, then it works for trusted sites as well. Is it a bug in IE 8 or another undocumented feature?
    Thanks,
    Igor

  • Tools/internet options/advance
    Under reset internet explorer settings hit reset.

    tick reset personal settings.

    restart IE

    Job done

    Shouldn’t need to backup favourites either.

    If the reset box is greyed out then try re-installing IE.

  • for Security Warning you can fallow below steps:-
    1.Going to Tools->Internet Options->Security
    2.Select the ‘Security’ tab
    3.Click the ‘Custom Level’ button
    4.In the ‘Miscellaneous’ section change “Display mixed content” to Enable
    thsks,
    Sarvesh Kumar

  • Here is another one that can cause this. If you are dynamically loading a div tag (or processing a template) and if that div tag has a background url style with a relative path, IE 7 and IE 8 throws this warning. Doesnt happen if you set the src tag of an image, only when you have background urls.

  • Thank you, Thank you, Thank you!!!
    I figure I have wasted 2 years of my life dealing with that annoyance.
    Thanks again

  • I had the same problem and it didn’t work until i found the solution on the other site. this one leaves out a couple steps. when you go to security. click on internet in the top section (the globe) then go to the custom level and continue to enable mixed content. after that you need to go back and click on local intranet (the globe with the computer) and click custom level again and enable mixed content there. there is a difference and if you don’t do it for both it will not solve the problem.

  • Thanks, that was really interfering with my work. I can now get on with my life. BTW this is the only website that actually gave me a real solution. I’ve been searching for 2 weeks to get rid of this.

  • It worked on laptop 1, now I just did this with lap top 2!
    Thanks! I am so grateful for all info I can find, and feel like I learn something each and every time I do these things, Thanks again!

  • I could kiss you!!! This was making me crazy. I spent more time dealing with this than I can tell you!!! Thank you.

  • Thank you so much, that was so annoying, that message was driving me insane. Although I still can’t get onto my bank website to do internet banking. Maybe this is a different problem??