We have previously written about the pointless and confusing ‘Do you want to view only the webpage content that was delivered securely‘ message in IE 8. It is displayed by default when a secure web page attempts to use non-secure content such as images, javascript or CSS. That post has been so popular that it attracts 40% of the traffic to this blog.
The IE 8 mixed content dialog is pointless because 99.9% of web users just want it to go away and let them get on with what they were doing. For the 0.1% of web surfers who do care, it is confusing because of the way it is worded:
The blog post described how you can disable this warning and from the comments it looks like many users are now doing this.
Even if you do this, IE still silently performs the check and hides the re-assuring padlock icon that you normally see on HTTPS pages:
This could be disturbing for anyone on a checkout page who is about to enter their credit card details. So if you’re web site developer you really need to avoid using mixed content - even for users who have disabled this warning. Firefox has the mixed content warning turned off by default. Let’s hope Microsoft do the same turn in the next version of IE.
You can normally fix the mixed content warning by ensuring that all the content on a secure page is served up with HTTPS. In HttpWatch you can quickly check a page by using a forced refresh to look for URLs starting with ‘http;’ :
However, a customer contacted us recently because they were still getting the mixed content warning even though they had no HTTP URLs on their secure page. After some investigation it was found that this commonly used javascript technique was causing the problem:
// Causes mixed content message in IE on a secure page document.write("<script id="__ie_onload" src="javascript:void(0)"></script>"); document.getElementById("__ie_onload").onreadystatechange = function() { if (this.readyState == "complete") domReady(); };
It’s a trick used to emulate a DOMContentLoaded event in IE. A security warning occurs because of the use the “javascript:” protocol even though no download occurs.
The fix is to use //: in the src attribute in the same way as popular javascript libraries such as jQuery and prototype. This does cause a harmless ERROR_INVALID_URL entry in HttpWatch, but it avoids the mixed content message:
// Does not cause a mixed content message in IE on a secure page document.write("<script id="__ie_onload" src="//:"></script>"); document.getElementById("__ie_onload").onreadystatechange = function() { if (this.readyState == "complete") domReady(); };
9 Comments
I’ve come across yet another javascript bug in IE that causes the mixed-content error. If you removeChild an element with a url background image, the error is fired.
Found details here:
http://www.pelagodesign.com/blog/2007/10/30/ie7-removechild-and-ssl/
I duplicated this behavior in IE8. Setting style.backgroundImage = “none” prior to removeChild prevents the error.
.cw
We’re having a similar issue with this site: https://www.ua.edu/advancement/giving/donate/index_test.cfm. There are no calls to http:// objects in it, but I suspect some of the JS may be causing the issue. Any insight?
Thank you THANK YOU! Our problem was with a Movable Type installation. The cause of our security warning was the __ie_onload trick. At first we didn’t find it because in our code, the javascript:void(0) isn’t surrounded by double-quotes, so searching for src=”javascript yeilded nothing. But we found it, and replaced the src attribute with “//:” and it now works fine. Seems like a crazy work around - but thank you 100 million for posting this. How on earth you found it…I don’t even want to guess.
Thanks httpwatch for this wonderful software to detect my http references in https page. i had same problem of security message. my https page did not have any http reference and it was working fine in IE7, and mozila, but testing in IE8 gave me security warning message. using httpwatch i could come to know that following 2 auto generated files(scripts) by .Net were having http refereces (in view source of the page they displayed with relative path so did not get detected as http reference but httpwatch found them as http references:))
1.WebResource.axd(related to js) 2.ScriptResource.axd (related to ajax). i kept both this files in web.config sucure page collection list as below
and now page works fine in IE8 without Security message. Thnx a ton httpwatch n its Team :)
This is for .Net developers who are having security message problem —
this message is due to mixed(http+https) content on the page. please make sure that ur https page contains only https content on the https page.
i had same problem of security message. my https page did not have any http reference and it was working fine in IE7, and mozila, but testing in IE8 gave me security warning message. using httpwatch i could come to know that following 2 auto generated files(scripts) by .Net were having http refereces (in view source of the page they displayed with relative path so did not get detected as http reference but httpwatch found them as http references:))
1.WebResource.axd(related to js) 2.ScriptResource.axd (related to ajax). i kept both this files in web.config sucure page collection list as below
and now page works fine in IE8 without Security message. Thnx a ton httpwatch n its Team :)
Reference Link : http://blog.httpwatch.com/
using this software you can find all http references in https page.
We are experiencing the same issue for a client, but only for the FIRST session with the browser. Subsequent sessions do not incur the error.
This only happens in IE 8. Did any of you see that behavior, where the error occurred, but then went away on subsequent sessions?
Thanks
Jerry
Whenever I go onto Facebook and click on Privacy Settings and then Search, it looks like everything is working properly. But then that message pops up and the search tool doesnt work.
How can I fix the problem?? Please help, as I would like to be able to use the search engine to look for people
Thanks, Zac! :)
Just not having mixed content anymore is NOT an acceptable solution!
We have SSL-secured web applications running for our customers where the content managers are able to add rss feeds. For performce reasons we load these feeds dynamically with clientside javascript. Our thrustworthy customers use thrustworthy feeds from thrustworthy sources.
Yet IE8 thinks it knows better and warns us… doh!
I think Microsoft should fix this before losing more and more users to FireFox and Chrome…
One Trackback
[...] Even more problems with the IE 8 mixed content warning - HttpWatch Blog Says: October 7th, 2009 at 1:45 am [...]