Fixing the ‘Do you want to display nonsecure items’ message
April 30, 2008 in
Caching , HTTP , HTTPS , HttpWatch , Internet Explorer
Have you ever been to a web site and seen this?
This warning is triggered in IE if it is displaying a secure HTTPS page that has caused a non-secure (i.e. HTTP based) resource to be downloaded. The message box doesn’t allow the user to control whether the non-secure content should be downloaded, only whether it should be displayed.
This seems rather pointless as the damage may already have been done if the non-secure content was a picture of your passport, bank statement or credit card! However, this is the default setting in IE so it is best to avoid this warning being generated on your web site.
This setting can be changed in IE by:
- Going to Tools->Internet Options->Security
- Select the Security tab
- Click on the Internet zone icon at the top of the tab page
- Click the Custom Level button
- In the Miscellaneous section change Display mixed content to Enable
- Repeat steps 1 – 5 for the Local intranet and Trusted sites zones
Recently, we saw this warning in the shopping cart of an computer store, so we fired up HttpWatch to see what was causing the problem. A quick search for a URL starting with ‘http:’ should have located the request causing the problem:
No HTTP requests were recorded for this page in HttpWatch. So what was causing the ‘Do you want to display nonsecure items’ message?
It turns out that IE warns about HTTP based content even if it was read from the browser cache or the IE image cache. Requests from the browser cache are shown as (Cache) in HttpWatch, but as we previously described access to the IE image cache is not recorded.
The resource causing the warning on this page must have been read from the image cache. We confirmed this by refreshing the page in IE and performing another search:
The refresh forced IE to download all the embedded resources on the page and it became clear that it was the Google Checkout image that was causing the problem. Changing this image’s URL to use HTTPS would prevent the warning from appearing.
Hi
I found that the problem was setting relative paths for CSS images from javascript – see http://www.weeklywhinge.com/?p=82 for info
Cheers!
Thank you. That error was driving me nuts!
Thanks a lot … I was really getting annoyed by this …
your solution helped …
This secure message happens because src=”” in my empty tag in my case.
Dm
This is not working for me in IE8/Windows XP. Despite the fact that I have http://www.google.com set as my home page, what I am getting is https://www.google.com, and every attempt to type in a search string generates the prompt. I have put both versions of the Google URL in my Trusted Sites and enabled mixed content, and that didn’t help, so in desperation I enabled mixed content for the Internet zone, and that still didn’t help. This behavior has started within the past few weeks. I believe it doesn’t happen in IE9/Windows 7. The popup doesn’t appear till I’ve started typing a search string, and then sometimes it takes two clicks on Yes or No (which I click haphazardly, as I really don’t care), and by that time Google has started autocompleting the first few letters I typed with (of course) irrelevant results. It’s driving me crazy!