BlogFixing the IE 8 warning – ‘Do you want to view only the webpage content that was delivered securely?’
April 23, 2009 in
HTTPS , Internet Explorer
In a previous blog post, we talked about the problem of using HTTP based resources, such as images, on a secure HTTPS page. Internet Explorer interrupts the download and displays a confirmation dialog whenever it detects the use of mixed content on a secure page.
In IE 7 and ealier, this dialog would cause annoyance to users but generally didn’t cause any other significant problems. This was because it was worded in such a way that most users would click on the Yes button and allow non-secure content to be downloaded.
However, the wording in the IE 8 version of this dialog has changed:
To download the content a user would now have to click on the No button. As we know, most people using the web only scan text and avoid reading it if at all possible! They will usually go for the Yes button if there is not an OK button.
Some sites are going to find that their secure pages in IE 8 have the following problems:
- Any non-secure HTTP image beacons used for analytics data gathering will often be ignored
- The page may not display or even work correctly if it relies on non-secure images, CSS or Javascript
Therefore, avoiding mixed content on HTTPS pages is even more important now that IE 8 has been released. It often becomes an issue when using third party services such as analytics or Content Delivery Networks (CDN). For example, we avoided the use of Google hosted Ajax libraries on our site until Google added HTTPS support.
As mention in the previous blog post, an IE user you can disable this warning by:
- Going to Tools->Internet Options->Security
- Select the Security tab
- Click on the Internet zone icon at the top of the tab page
- Click the Custom Level button
- In the Miscellaneous section change Display mixed content to Enable
- Repeat steps 1 – 5 for the Local intranet and Trusted sites zones
However, if you are developing a web site you can’t expect your visitors to do this. It is better to fix the cause of the problem so that the warning is not displayed by default in IE 8. The only way to do this warning is to ensure that your HTTPS pages only access embedded resources using the HTTPS protocol. You can do this by following these steps:
- Use a sniffer like HttpWatch that supports HTTPS and shows files being read from the browser cache. The free Basic Edition is sufficient for this because you only need to see the URLs being accessed.
- Access the page causing the problem and click No when you see the security warning dialog.
- Any HTTP resources shown in the HttpWatch window are the source of the problem; even if they loaded directly from the browser cache and didn’t cause a network round trip:
- If you don’t initially see any HTTP based resources, try refreshing the page because a non-secure image may have been retrieved from the IE or Firefox image cache
EDIT #1: If you are a web developer trying to track down why your page causes this warning please also take a look at http://blog.httpwatch.com/2009/09/17/even-more-problems-with-the-ie-8-mixed-content-warning/ where we cover some javascript snippets that can also trigger this warning. The comments section of both of these posts also contain useful information where people have found and solved related issues.
EDIT #2: Updated instructions to apply the change to all network zones
This error popup has been frustrating long before IE8, however- Microsoft actually has a point on this one. Shouldn’t really be serving non-secure content on a secure page. Let’s point the finger in the right direction and ask when google is going to give web developers an https/secure way to have analytics/adsense on our pages.
There is HTTPS support for Google Analytics. You can see this if you take a look at https://www.httpwatch.com with HttpWatch. In the page source you’ll some javascript code that performs the http/https switch.
Unfortunately, there’s currently no HTTPS support for Google Site Search. You’ll see this error if you visit https://www.httpwatch.com/search/ with IE 8.
Actually you can “correct” the problem temporarily by going to Tools>internet options>security>custom level>display mixed content: Enable.
The problem for me is gmail, i get it constantly when pics are downloading on HTTP email- almost all my emails. Hopefully google will fix this because gmail is the only site so far I’ve had this problem.
zac,
The ‘Display mixed content’ setting is mentioned in the previous post:
http://blog.httpwatch.com/2008/04/30/fixing-the-do-you-want-to-display-nonsecure-items-message/
However, if it’s your web site you can’t expect users to make this change in IE – it’s better to fix the cause of the problem,
It would be difficult for gmail to fix this because the images in email messages are not normally hosted by Google. They could provide an HTTPS proxy for embedded images but there may be considerable cost to setting up the infrastructure for that.
Why doesn’t Microsoft simply give users a choice when this pops up – annoyingly often? Click yes to be warned, click no to dispense with the warning. If been looking for a way to turn this off for 2 days until I found this blog. I’ll try Zac’s advise. Thanks.
Thanks a lot for Display mixed content Fix
Just to add to this discussion – from a users perspective seeing this message constantly can be annoying while surfing and it can be tempting to “correct” the problem by enabling mixed content as described.
However, I would caution against this as you may potentially allow unsecure scripts to run within secure pages – therefore a better approach is to make sure you select the “Trusted Sites” zone before making the change.
By only allowing mixed content from sites that you’ have told IE that you already trust you remain better protected with the default setting while surfing in the “Internet” zone.
Display Mixed Content to Enable does *not* fix this error for me. I have had it set to that for ages but since I downloaded IE8, it will not get rid of the message.
I’m a frequent reader of a message board that is secure (https:) and people have pictures in their siggies that link to non-secure sites, so I get this popup on literally every.single.thread that I try to view. It’s totally obnoxious. I’ve tried all sorts of other settings, exiting and restarting IE, restarting windows, double-checking the zones, etc. It won’t go away!
Same for me, whatever I do, this Message comes up all the time.
My Windows XP-Pro is a clean install with all security patches loaded.
I use avantbrowser (yes, teh latest one).
I have listed all known websites involved as secure. Doesn’t help (sic)
Anyone other ideas?
I am having the same problem – changed it to enable and it still pops up – IE8 Any advice welcome!
Thank you 1,000 times over for this easy fix to an extremely irritating “feature”!
Thanks
Thank you for this help. Very good!!
lots of people are stroggling with this, I wrote the simple answers for all this http://ebersys.blogspot.com/2009/03/do-you-want-to-view-only-webpage_27.html
Thank you for this help. I uninstalled IE8 previously just because it could not display image. I didn’t read the prompt message at all before until I read this article. :)
Gracias. It was getting pretty annoying. This was quick and easy.
Oh, thank you! I just updated to IE8 and every time I load a Twitter page, I get this freakin’ error. Very annoying. Spent some time poking around looking for how to turn it off and found your instructions. It worked, and I sincerely thank you!
And for those wagging fingers at developers, yes, it would be nice if all content were secure, but it would be even nicer if I could tell IE8 to always allow mixed content from this page (like a friend’s Twitter page) and it would just do it permanently without anymore security warnings every time I load the page.
Struggling to find best words to thank you enough. What a great help to fix a really irritating issue.
Amen and thank you. This has plagued me for ages and, foolishly, with my new Vista laptop I thought it would be fixed. It wasn’t. This is the perfect fix. My isohunt days shall be joyful once more lol.
Many many thanks
Thank you so much. It’s very fantastic to disable security warning pop up.
Very annoying that they decided to change from YES in IE7 and earlier to NO in IE8 to display mixed content.
Means users who are used to clicking Yes to view images now have to click No.
Almost all will still click yes resulting in images and/or Google’s “Maps”, “Analytics”, Etc… not being displayed, nasty. All any site needs to do is tag HTTP directories on their servers to be HTTPS accesble as well. When linking in from a secure site all existing files and sub-diretories down the tree will then be available both as secure content and/or non-secure content without making any other changes. I believe google now wants to charge for an “upgraded service” simply to allow https sourced maps, flip a switch and everyone pays?
WORK-AROUND
Trap for IE8 browser accessing your site and if “YES” is clicked trap for the inevitable resulting error that will occur.
Write a second pop up alert box that will display a warning directed specifically and only to IE8 users that “NO” must be clicked on the previous alert box to display content. Then only IE8 users users who have unfortunatley clicked “YES” will be bothered again with another alert and get some instruction as to what to do. Pain in the … for the user and webmaster alike.
Bless you! At work and home, this has been the single biggest PITA with IE8. Thanks!
You saved me from another Microsoft Migraine. Thank you. Now share this with the world, and tell Microsoft to read the book on effective human design next time they change something like this.
THANK YOU!! This stuff should not be that difficult to find…
Hello, the fix seems simple enough but when I go to “tools” -> Internet Options, there is not a “security tab” to select. The only tabs are “general, privacy, content, connections, programs and advanced”. Is it possible that my IT admin at work has disabled this tab so I cannot change the setting? I’ve looked through every tab for a “custom level” or “display mixed content” but I cant find it anywhere. Please help! Thanks!!!
Alex,
It looks like the Security tab can be disabled using a registry value:
http://www.pctools.com/guides/registry/detail/797/
Your IT admin group may have set this up to prevent changes.
THANK YOU so much for this information! I just started a new job this week, which allows me to work from home, but for which I have to quickly get materials prepared and revised. The usage of an electronic system, via this IE browser, was greatly slowed, due to this security warning.
Now that I’ve followed your instructions, that no longer happened, and I was able to get the tasks done much quicker. (I wish I’d known about & done this yesterday!)
To those who found that the enable mixed content did not work, I was getting the same thing. But then I found out that the web sites that I had added to the Trusted area in the Security tab still got the message. I clicked on the Trusted button to highlight it then went to the Custom area and found I had to enable the mixed content there as well.
I think I tried every other IE setting except for ‘Display mixed content’. Thanks for the tip!
Thanks for the tip about disabling the security warning. That was driving me crazy.
I stopped using IE a long time ago. Things like this post are the reason why. I’ve been using Firefox for years and have never looked back. I like Firefox so much better.
NOTE TO DEVELOPERS: I’ve been trying to solve this issue with a new web site of ours and the problem, it turns out, is the CODEBASE of the tag for the Flash player. I installed the free version of the tool mentioned in this blog, and it showed all of our images, scripts, stylesheets, etc. were secured via HTTPS, but the codebase wasn’t so IE8 was giving the security dialog.
I was hopeful that HttpWatch would show me something that a javascript was loading, but alas, it doesn’t show up in HttpWatch, understandably (after I finally figured it out) because the object (Flash player) is neither loaded from a web page or from the browser cache — it’s already installed.
And, by the way, it doesn’t matter if you select “Yes” or “No” at the security prompt because the Flash object is loaded either way. So why show the dialog??? I can see if IE8 didn’t allow the “object referenced from (but not necessarily installed from) a non-secure page” to execute, but this is not the case.
Therefore, simply change the codebase from “http://…” to “https://…” and this [one] issue will go away.
-john
P.S. Firefox and Google Chrome do not give any such security warnings and they both show the padlock icon indicating the site is fully secured.
Cheers for the steps to turn off this security warning! Too bad Microsoft can’t provide manuals for these inconveniences, have to rely on you guys. Thanks heaps.
THANK YOU!
I thought I’d share my experience of this. My site is in a Trusted Zone. So to remove the message, I did what everyone else was suggesting and changed the Display Mixed Content setting to “Enable” for the zone. But this made no difference.
I was able to fix my problem by changing it for the Internet zone. Even setting the Trusted Zone setting back to Prompt makes no difference – it must be an IE8 bug where they forget to look at the zone when choosing whether to show the dialog.
Nick
When a user goes to the secure section of my page in ie, they don’t get an error message, but the secure symbol shows for a second – then dissapears. If they refresh or come back to the page, the symbols shows up and stays after that. Everything works fine in firefox and chrome. Why would ie do that? Is it still secure if I get no errors but no symbol?
Mike,
You would get that behaviour if the warning was turned off in Tools->Internet Options and the page had some non HTTPS resources. You may also be interested in this follow up blog post:
http://blog.httpwatch.com/2009/09/17/even-more-problems-with-the-ie-8-mixed-content-warning/
Thanks for the response! Couple more questions… First of all, the warning is not turned off. Why would the padlock not show up until after a simple refresh of the page? All the same content is showing up? Also, I don’t get errors in other browsers and the padlock signal is displayed fine. I understand that they probably have the warning turned off, but wouldn’t the padlock not show up in those browsers if there was an issue?
Mike,
It looks like you have run into a different, but related problem
I found the code that was causing my problem.
google.load(“jquery”, “1.3”);
A couple questions though. First, I had an .asp script that said if it was a secure connection, don’t show that piece of code. So, when I looked at the source code on the page this piece of code didn’t show up. I always thought all .asp code ran before any javascript, but that doesn’t seem to be the case here? If I took this code out all together, it works fine.
Second, why would it show up secure after a simple refresh? Any thoughts would be appreciated.
Firefox.
Yes, I just had to since no one else has.
“Do you want to view only the webpage content that was delivered securely?” I was getting this in my Cox.net webmail on ever e-mail I opened. Thanks for the tip. This fixed my proble.
This problem cost me about half a day to fix, it ended up being a line in sorttable.js, a javascript that sorts tables in custom ways.
It ended up being somewhere around line 380:
/*@if (@_win32)
//document.write(“”);
//var script = document.getElementById(“__ie_onload”);
//script.onreadystatechange = function() {
// if (this.readyState == “complete”) {
// sorttable.init(); // call the onload handler
// }
//};
document.observe(“dom:loaded”, function() {
sorttable.init();
});
/*@end @*/
replacing the above code fixed it, but you need to have prototype on that page. This was just a quick fix, maybe there is a better solution, but i haven’t found one on google. Hope this helps someone.
Thanks for telling us how to turn off that pop-up, it’s the world’s most annoying thing. Why don’t big companies think before they implement something like that, it drives me mad. Cheers
Thank you for the posting. I just used wireshark to sniff since I already had it installed but it led me to the page that was referencing a hard coded HTTP link. Changed it to a relative link and everything is working now.
The company who built the web application said “it should just work with HTTPS. No need to do anything special.”
Thanks – that message has been frustrating me for awhile
thank you!
Thank you SO MUCH for helping me remove this annoying pop up!
Thank You so much! You have saved me a lot of searching for this fix!