Fixing the IE 8 warning – ‘Do you want to view only the webpage content that was delivered securely?’

calendarApril 23, 2009 in HTTPS , Internet Explorer

In a previous blog post, we talked about the problem of using HTTP based resources, such as images, on a secure HTTPS page. Internet Explorer interrupts the download and displays a confirmation dialog whenever it detects the use of mixed content on a secure page.

In IE 7 and ealier, this dialog would cause annoyance to users but generally didn’t cause any other significant problems. This was because it was worded in such a way that most users would click on the Yes button and allow non-secure content to be downloaded.

However, the wording in the IE 8 version of this dialog has changed:

IE8 Security Warning

To download the content a user would now have to click on the No button. As we know, most people using the web only scan text and avoid reading it if at all possible! They will usually go for the Yes button if there is not an OK button.

Some sites are going to find that their secure pages in IE 8 have the following problems:

  • Any non-secure HTTP image beacons used for analytics data gathering will often be ignored
  • The page may not display or even work correctly if it relies on non-secure images, CSS or Javascript

Therefore, avoiding mixed content on HTTPS pages is even more important now that IE 8 has been released. It often becomes an issue when using third party services such as analytics or Content Delivery Networks (CDN). For example, we avoided the use of Google hosted Ajax libraries on our site until Google added HTTPS support.

As mention in the previous blog post, an IE user you can disable this warning by:

  1. Going  to Tools->Internet Options->Security
  2. Select the Security tab
  3. Click on the Internet zone icon at the top of the tab page
  4. Click the Custom Level button
  5. In the Miscellaneous section change Display mixed content to Enable
  6. Repeat steps 1 – 5 for the Local intranet and Trusted sites zones

However, if you are developing a web site you can’t expect your visitors to do this. It is better to fix the cause of the problem so that the warning is not displayed by default in IE 8. The only way to do this warning is to ensure that your HTTPS pages only access embedded resources using the HTTPS protocol. You can do this by following these steps:

  1. Use a sniffer like HttpWatch that supports HTTPS and shows files being read from the browser cache. The free Basic Edition is sufficient for this because you only need to see the URLs being accessed.
  2. Access the page causing the problem and click No when you see the security warning dialog.
  3. Any HTTP resources shown  in the HttpWatch window are the source of the problem; even if they loaded directly from the browser cache and didn’t cause a network round trip:Mixed Content in HttpWatch
  4. If you don’t initially see any HTTP based resources, try refreshing the page because a non-secure image may have been retrieved from the IE or Firefox image cache

EDIT #1: If you are a web developer trying to track down why your page causes this warning please also take a look  at where we cover some javascript snippets that can also trigger this warning. The comments section of both of these posts also contain useful information where people have found and solved related issues.

EDIT #2: Updated instructions to apply the change to all network zones

267 thoughts on “Fixing the IE 8 warning – ‘Do you want to view only the webpage content that was delivered securely?’

  1. Clark Mxyzpltk says:

    I have my Internet Explorer settings under the Security tab in Internet, Intranet and Trusted Sites all checked to enable mixed content. However, I am STILL getting the popup. Does anyone know if there another setting that may be causing this? Thanks.

  2. Al says:

    I had this problem. I use AVAST. In AVAST settings, I turned off the AVAST IE browser plug-in and the mixed content pop-ups went away. Yay!

  3. Vikram says:

    Fixed … All it required was — CLICK “NO”
    thanks a ton

  4. Anurag says:

    Thanks a ton!!It works!!

  5. aaron says:

    Helped me get rid of one of Microsoft’s biggest trolls. thk u!

  6. R.J. Service says:

    thanks for all your help, I appreciate it.

  7. BillyBob says:

    Thanks! This was driving me nuts!

  8. Ming Hong says:

    Great article! Thanks

  9. urbandub01 says:

    Thanks man this was really annoying and now it’s gone!

  10. Olu says:

    Thanks, you saved me from those exasperating messages. In our case it was due to referencing some jquery sites. used httpwatch as recommended, removed the references as they weren’t even needed and now, it works to perfection. Bless you.

  11. helps me a lot. thanks

  12. braulio says:

    Well i did that with local intranet and trusted sites but the issue continued so i did it with internet also and it worked :) thanks

  13. Miguel says:

    Thanks for posting this. my company’s intranet and other sites always trigger this error and now I know how to disable it. this will keep me from losing my mind every five minutes. Thank you!!!

  14. gus smith says:

    Ok so I installed httpwatch. Cleared the browser cache in IE8 and opened the url that pops up this message. But I see no http://.. call in the httpwatch log file. Clicking NO or YES is not an option neither is letting users change their security settings as they cannot even change it due to IT restrictions.

    Any thought to sniff out what the source is of non secure references in a web application? I couldn’t find any reference to http://.. resources in js, java, html, jsp or xhtml files.

  15. Hemant Latawa says:

    Today So many Hosting Companies Providing Free SSL.

Got Something to Say?

Your email address will not be published.

Ready to get started? TRY FOR FREE Buy Now