BlogFixing the IE 8 warning – ‘Do you want to view only the webpage content that was delivered securely?’
April 23, 2009 in
HTTPS , Internet Explorer
In a previous blog post, we talked about the problem of using HTTP based resources, such as images, on a secure HTTPS page. Internet Explorer interrupts the download and displays a confirmation dialog whenever it detects the use of mixed content on a secure page.
In IE 7 and ealier, this dialog would cause annoyance to users but generally didn’t cause any other significant problems. This was because it was worded in such a way that most users would click on the Yes button and allow non-secure content to be downloaded.
However, the wording in the IE 8 version of this dialog has changed:
To download the content a user would now have to click on the No button. As we know, most people using the web only scan text and avoid reading it if at all possible! They will usually go for the Yes button if there is not an OK button.
Some sites are going to find that their secure pages in IE 8 have the following problems:
- Any non-secure HTTP image beacons used for analytics data gathering will often be ignored
- The page may not display or even work correctly if it relies on non-secure images, CSS or Javascript
Therefore, avoiding mixed content on HTTPS pages is even more important now that IE 8 has been released. It often becomes an issue when using third party services such as analytics or Content Delivery Networks (CDN). For example, we avoided the use of Google hosted Ajax libraries on our site until Google added HTTPS support.
As mention in the previous blog post, an IE user you can disable this warning by:
- Going to Tools->Internet Options->Security
- Select the Security tab
- Click on the Internet zone icon at the top of the tab page
- Click the Custom Level button
- In the Miscellaneous section change Display mixed content to Enable
- Repeat steps 1 – 5 for the Local intranet and Trusted sites zones
However, if you are developing a web site you can’t expect your visitors to do this. It is better to fix the cause of the problem so that the warning is not displayed by default in IE 8. The only way to do this warning is to ensure that your HTTPS pages only access embedded resources using the HTTPS protocol. You can do this by following these steps:
- Use a sniffer like HttpWatch that supports HTTPS and shows files being read from the browser cache. The free Basic Edition is sufficient for this because you only need to see the URLs being accessed.
- Access the page causing the problem and click No when you see the security warning dialog.
- Any HTTP resources shown in the HttpWatch window are the source of the problem; even if they loaded directly from the browser cache and didn’t cause a network round trip:
- If you don’t initially see any HTTP based resources, try refreshing the page because a non-secure image may have been retrieved from the IE or Firefox image cache
EDIT #1: If you are a web developer trying to track down why your page causes this warning please also take a look at http://blog.httpwatch.com/2009/09/17/even-more-problems-with-the-ie-8-mixed-content-warning/ where we cover some javascript snippets that can also trigger this warning. The comments section of both of these posts also contain useful information where people have found and solved related issues.
EDIT #2: Updated instructions to apply the change to all network zones
Thanks. This was very helpful.
Worked fine, wish it was default setting :P.
I was beginning to think gmail was the problem, because every computer I used IE8 on was doing this.
Thanks for the tip… I use Gmail, and every single time I would open an e-mail with pictures, that stupid Microsoft dialog box would pop up… jeesh…
Personally, I don’t like Microsoft thinking for me… and I am glad for a way to turn off that stupid, annoying box…
Just another way to infringe upon my rights of free expression and implement more industry-imposed crap without my say so…
How hard would it have been, or be, to include a “don’t show this box again” radio button…
Microsoft = Big Brother… thanks for thinking for us, we are surely too stupid to think for ourselves….
It’s very displeasing when a big company like google or windows micro deliberately stick you in the face with their arrogance thinking they are God. And won’t allow you the time of day. Before they disrupt your peace and quiet. With dirty little quirks that make one mad. Thanks for the help.
Yet another epic fail from Microsoft.
I support a website for the UK National Health Service, which I have to access 20+ times a day. This is obviously in my ‘Trusted’ zone, but even with the “Display mixed content” set to Enable this warning still came up every time I moved from one page to another. The only way I’ve managed to stop it is to set the whole Internet zone to the same (insecure) setting.
As other people have said, how difficult would it have been for MS to include an option of ‘don’t warn me again for *this* website’ ? As always they seem to live in their own world and never respond to complaints/feedback from the rest of us.
Fail, fail, fail.
thanks for helping with ridding of that most annoying msg
i am a developer and i have developed a magento website. I am getting this error in IE8, please advise how can i get rid of this warning message? its very frustrating for customers
That was extremely helpful being able to turn off the warnign message.
Thanks
Thanks, that was really getting on my nerves yet so easy to fix. Kudos to you :)
It makes displaying external content in a secure WSS installation impossible. Great. Even certain themes that M$ includes in a WSS installation throw this error, so certain color themes cannot be used. Way to go…
OMG! I HATE YOU IE!!
This is very irrerating bug in IE8. Don’t know why MS can’t make this much user friendly like firefox of Google Chrome…
All of these solutions sound great if it’s annoying you. However, from a development standpoint, do you really want grandma having a pop-up on her screen, not understanding it and leaving because of it? No.
An easy way to get rid of the issue it to make the download link for the flash plugin a https link which works just the same as the http link. Either will give you the download file. For the pluginurl field just use https://www.adobe.com/. Yeah it doesn’t direct them to the exact location of the plugin, but anyone should be able to see that big link once they get to adobe’s site that says “download flash plugin”. This should get rid of the adobe plugin issue. Besides, who doesn’t have flash nowadays?
As far as google analytics is concerned they do support https and it is built into their js code.
Links to outside sites not sources will not cause a problem.
Check your CSS to ensure that you’re not using http for links to background images etc. Do not use https links either, as this is not good practice. Use relative paths in css (and for that matter anywhere) and not absolute paths. That avoids the need to use http or https.
But as pointed before, in
http://blog.httpwatch.com/2010/02/10/using-protocol-relative-urls-to-switch-between-http-and-https/
developers can use relative protocol to solve this problem.
I am a UK doctor using the NHS Choose and Book service to refer patients to hospital and this only works on MS IE. Generally we have been told to use the nice old insecure IE 6 or 7 but along comes the Browser Ballot and a moments lack of concentration at a presurised moment and ooops, I am upgraded to IE8. Far too secure for the good old NHS which uses mixed content on their pages and doubles the number of clicks to get around the already dire software. It seems the only solution is to allow mixed content on all sites so that’s jolly secure isnt it! So an attempt to make it more secure makes it less so. As Jim says; FAIL!
Hey thanks a lot for sharing such a good article,informative stuff here. Glad I found your site. Good content and very helpful.
The main differences between the Firefox and IE is Firefox allows you to surf the Internet
safer and faster, and it displays the Internet the way that it was intended to be. Firefox also gives you more web page viewing space so that you can see more than you would with other
browsers. The main difference that you’ll see is that Internet Explorer has gray behind its images, Firefox doesn’t.
By the way for more information on Professional training and Certification for Security courses check this link: http://www.eccouncil.org/certification.aspx
sogolfer – very good comment at number 21 regarding propagating the HTTPS down the tree when a developer is writing a webpage! I am SURE that it would work without having to change the settings for developers who can’t give their viewers the option of viewing mixed content when it should not be necessary to start with if HTTPS was 100% of the content. Nice one :-) Not a member of this forum yet but found this post extremely interesting to read. – Andrew aka Autolycus.
http://blog.httpwatch.com/2009/04/23/fixing-the-ie-8-warning-do-you-want-to-view-only-the-webpage-content-that-was-delivered-securely/#comment-10567
Just like to let you know that this comment fixed this problem on the website I’m developing. For IE6-8.
We are having this problem with the addition of the Google Translate script. They say it is compatable wtih https sites but it causes the aforementioned annoying alert. Even when I altered the url from http to https.
I appreciate the trick to changing it on my IE* but I also need to find a solution for the rest of our 1200 visitors per day. Any suggestions for me?
Here is the script they give to use plus my https alteration:
function googleTranslateElementInit() {
new google.translate.TranslateElement({
pageLanguage: ‘en’
}, ‘google_translate_element’);
}
OMG…. Thanks so much for the fix, its been driving me so so so so crazy!!!
Want a ‘real’ fix? Get a real web browser, FireFox. Every serious web developer I know (including myself) uses FireFox. IE (any version) is a developers nightmare especially IE6. Do yourself a favor and use a real web browser rather than waste time with the never ending glitches found in pretty much every Microsoft product.
Clicking only Enabling Miscellaneous doesn’t work.
You need to select – enable “Disply mixed content”
1.Going to Tools->Internet Options->Security
2.Select the ‘Security’ tab
3.Click the ‘Custom Level’ button
4.In the ‘Disply mixed content’ section change “Display mixed content” to Enable
Click Tools -> Internet Options -> Security (Tab) -> Trusted Site -> Sites -> Empty Websites Box and uncheck “Require server verification”
Hope this will help u. Thanks
This still did not solve the problem. I have enabled to display mixed content and I still get to see this problem. Is there any other workaround?
Thanks.
Finally.
Thank you for saving me from throwing myself off of a tall building, after I carried out the murder of my computer I had been plotting if that damn thing popped up “one more time”.
:D
@Marie: Ha ha, that’s too funny. I know just how you feel. Good thing I ran into this blog.
@httpwatch.com: Thanks for the fix. I thought there might be some kind of browser setting I could modify to get rid of that wonky pop-up, but didn’t know which one. Everytime I went to Twitter.com, that warning message reared it’s ugly little head.
The problem is IE8 in combination with Ajax-content. When I add an image to te page with my Ajax-script the url in Firefox is https://mysite.com/image.jpg with IE8 it’s http://mysite.com/image.jpg.
The errormessage of IE8 is correct, the way it handles Ajax-requests isn’t.
this problem happens when i log out of my virgin mail and just before my virgin home page comes back
using i.e.8 it dont happen any where else
RE:
Posted December 26, 2009 at 4:45 pm | Permalink
This problem cost me about half a day to fix, it ended up being a line in sorttable.js, a javascript that sorts tables in custom ways.
It ended up being somewhere around line 380:
Response:
Another way to fix this very annoying error with this piece of script, is to do the following
/*@if (@_win32) document.write(“”);
/*@end @*/
then create in sort_defer.js script file that contains 1 line of code.
sorttable.init();
But thanks for your original response.. i was at about a full day when i found your code that lead me to the above non-protype dependant solution.
I use godaddy’s website tonight builder because I dont know how to build websites. Is there a way I can still take care of this annoying problem?
Hi, I was also facing the same problem of SECURITY WARNING IN GMAIL . The permanent solution to the problem is not refreshing the page or using a different browser. The answer was there all along. Next time you log in to GMAIL go to Settings ( right hand top corner ) and on the bottom of the default settings page ( General ) you will find a Browser Connection option. There are 2 buttons. By default neither of them is selected.
Click on > Don’t always use https. Save settings.
Or if by mistake you might have clicked on Always use https earlier, then change to Don’t always use https.
That’s it. Problem solved.
Does anyone know a decent alternative to httpwatch for the mac?
thanks
Only Microsoft can come up with an error message as convoluted as this, which doesn’t even need to be displayed!
Re:
Posted August 2, 2010 at 10:43 am | Permalink
Does anyone know a decent alternative to httpwatch for the mac?
thanks
Try:
Fiddler installed over firefox.
It worked for me perfectly!
I was looking for the solution for hours(almost killed myself) and finally found it.
Thanks so much.
Thanks- I appreciate the time and effort you went to to help others! Nice one…
Peter
Thank you! This worked. The problem was very annoying and a waste of time :( Mostly gmail, but not only. So far, seems solved…!
Many many thanks for this suggestion.
this blog really helpful for me as i have fixed the issue immediately by reading the instruction from this blog
THAAANKS!
Thank you! I have been dealing with this prompt for a while and you gave me the answer to stop it. Great post
It is really good.
Thanks
While changing the settings from within gmail I dont get the internal warning when opening gmail. However, my problem still persists. From google main page, clicking on gmail link at top of page, I still get the mixed content warning. In IE8 I have google, google-analytics in trusted sites. On all internet security options (Internet zone, intranet zone, trusted sites) I have enabled mixed content. I still get the pop-up warning. I have installed httpwatch (basic), but don’t quite know what to do with it. It tells me what websites open to get to gmail, along with warnings, but I can’t change how the websites get handled. I have successfully made the change on other pc’s in the home, but my laptop (Vista Ultimate) still won’t clear the message. Any thoughts?
Does anyone have a hack for just suppressing this stupid error message? I am in a bind where I’ve developed an application around google maps, but since Google Maps is unsecured causes this error message. Users instinctively click “yes” and the whole application is useless.
I don’t want to re-develop the whole application around bing maps or anything, and the only way to get secure content from Google Maps is to pay $10,000/year for their “premier” service! My God, what a mishap :(
Wow this is really great.
Thanks
How do I detect which part of the webpage causes the problem? I’m trying to fix it on my site
Thanks