Page Containing Non-Secure Item?
At work, the web application that I’ve been developing has always had this problem over a secure SSL link. On certain pages, before the document is fully loaded, a dialog box will popup telling me that “This page contains non-secure items, would you like to display those items?”. Whether I choose ‘Yes’ or ‘No’ does not really make a difference, and the application can still be executed perfectly. However, this dialog box is really annoying to the point that many people in the office has turned off this checking in their Internet Explorer preferences.
We have been digging through all our code to see whether we have explicitly refer to an URL using the ‘http’ protocol, instead of leaving it relative. However, the search has not been successful and all our code shows that we are using the URL’s correctly. This is getting even more annoying today as some of my new Javascript widgets will popup this message when they are in operation. Right click somewhere to bring up a context menu – BANG! There is that annoying dialog box asking you to confirm. So I decided that I must go and figure out what actually caused this problem.
Searching through trusted Google does not yield many useful result. Actually a lot of sites on the first result page actually state the same problem. They tell their custom to simply ignore the dialog box when they are using the application. It is not right! That’s avoiding the problem! Until I hit this page on the DevShed.com…
It does not present a clear answer, but I think I found the solution on here.
Make Sure You Have SRC Attribute In Your IFRAME!
We have quite a few IFRAME tags in our code, either pre-generated or appended to the document using DOM. Many of them are pointing to a relative URL when they are created, however, some of them are just created as hidden place holders. They are used in DHTML to replace some DIV code because DIV does hover well above the editing widgets. They are created without a SRC attribute, because their documents are created on the fly! Because the document does not have an URL, Internet Explorer gets confused and thus yield a warning on displaying non-secure items.
It ends up as an easy fix – just create thus IFRAME’s with SRC pointing to a dummy page using a relative URL.
Links to This Article
- Do you want to display the nonsecure item - (dialog in IE) « Ideas, Ideas, Ideas
- JIRA: Real Practice Suite
Comments
Shaikesh,
If it does not solve your problem, then truly I have no idea. As the error message has suggested, it is caused by elements referring to a non-secure URL. IFRAMEs should all have SRC attribute pointing to something like relative path – a dummy page for example. If you have done that – then I am not sure what else is causing it..
Just wanted to say THANK YOU!!! This problem was driving me nuts, added a fake src and all is AOK!!!
If I have a “mail to:” reference, the same error appears, when you click on it. Do you know how can I fix this problem?
I’ve had the same problem – but I’ve also found some browers are more paranoid than others:
My browser was happy with a sneaky “javascript:;” SRC url. It was also cool with “/blank.jsp”.
However several co-workers machines refused to stop complaining until I fully specified the SRC as “https://hostname/blank.jsp”. It
seems not all IE6 installs are created equal.
Scott,
Thank you so much for making this so much easier to fix. You saved me a lot of trial and error and research. Thanks a million. :)
Very helpful… exactly what I was trying to answer. But it doesn’t deal with my exact issue: when the IFRAMED content on a secure page is proudly nonsecure! Trying to separate secure functionality and nonsecure furniture/decoration as separate layers by way of an IFRAME. The IFRAMED content is non secure and throws this dialog box all the time. It doesn’t on Mozilla, Safari etc. First time that IE has been the more frustrating one ;0) Any solutions!?
I have an IFrame on a secure page in my application.
The src attribute of the frame is pointing to another site which is also a secured one.But when I navigate to the secure page(which has the IFrame) of my application,I get the same message “..Do you want to display the nonsecure items?”. How do I avoid this?
Thank You!
After many hours on google / google groups I luckily found this page.
Adding
src=”/blank.jsp”
to the iframe tag did the trick!
I dont have any iframe but instead i have the frameset/frames in my page…can u please tell me how to avoid that popup message in this situation ?
shaila,
Same – if your page has a https address, make sure all your frames in frameset also have https addresses.
Instead of using a blank page, its easier you can also use:
…
This way it doesn’t have to check for a file every time.
.fi3rc3
I want to mention this to keep some people from getting confused, if that is alright.
If you flip between http to https, any absolute urls listed as http://whatever.com/whatever/img.jpg will show up, but will bring up the ‘mix of secure and non secure items’.
I feel it is important to mention this because a client we had, was having problems having images break when he switched from http to https (he was using absolute server paths ) –
His first solution was to define the full url to the resource, obviously this caused the ‘mix’ alert to come up.
Leo Charre
Great article! I was desperately looking for a solution for a few weeks. I googled the Web, even employed an HTTP debugger without a success… until I found this page. Thanks a lot!
I’m really clueless, I’ve tried everything
but the browser still pop ups
“This page contains non-secure items, would you like to display those items?”
I’ve tried javascripts of every kind
always using SRC with absolute and relative path.
I’m really out of ideas.
I have the same problem. No IFRAME tags in any of the pages on the site. There are only three things that I can say with any certainty about the problem so far:
a)it has to be within client side HTML that the discrepancy is occuring because the browser doesnt see server side processing. Therefore, its safe to assume that the browser is reacting to something in the post server-process HTML.
b)its only Internet Explorer that gets the message, and
c)whether selecting ‘yes’ or ‘no’ the pages are identical at the binary level, which means non-printable characters, capitalization, everything, is the same.
Thanks for the solution provided. I was finally able to resolve this after stepping up at this article.
Sorry about the last submit I forgot to add the following,
If you are trying build iframe on fly through javascript on a click on the page add value for the src property as follows
mf = document.createElement(“IFRAME”);
mf.src = “/”;
I came across a similar issue. The page/application I was working on, however, didn’t have any IFRAMES but it did have a Flash Animation whose OBJECT and EMBED tags had their CODEBASE and PLUGINSPAGE tags pointing to -> http://some.macromedia.page.com. A quick hack around this issue was to change the URL to -> https://some.macromedia.page.com and viola…it worked, turns out macromedia anticipated this and whether you use http or https everything works smoothly!
Just thought I’d post for posterity (in case someone else had the same issue)
PS: This comment post sucks because if you leave out your email address you have to type out the whole thing again! grrr…. Please let people know that the email is also required.
What about a div is their a way to stop the popup?
this is how my script look like:
function doTooltip(e, msg) {
if ( typeof Tooltip == “undefined” || !Tooltip.ready ) return;
var cntnt = wrapTipContent(msg);
var tip = document.getElementById( Tooltip.tipID );
Tooltip.show(e, cntnt);
}
function hideTip() {
if ( typeof Tooltip == “undefined” || !Tooltip.ready ) return;
Tooltip.hide();
}
function wrapTipContent(msg) {
var cntnt = “”;
if ( msg[0] ) cntnt += ”;
if ( msg[1] ) cntnt += ” + msg[1] + ”;
return cntnt;
}
var messages = new Array();
messages[0] = new Array(‘https://domain.com/images/AAGC011P.jpg’);
messages[1] = new Array(‘https://domain.com/images/AAGC012P.jpg’);
messages[2] = new Array(‘https://domain.com/images/AAGC013P.jpg’);
messages[3] = new Array(‘https://domain.com/images/AAGC014P.jpg’);
messages[4] = new Array(‘https://domain.com/images/AAGC015P.jpg’);
messages[5] = new Array(‘https://domain.com/images/AAGC016P.jpg’);
messages[6] = new Array(‘https://domain.com/images/AAGC017P.jpg’);
messages[7] = new Array(‘https://domain.com/images/AAGC018P.jpg’);
Hi All,
Similar to Sheila’s question…. will a non-secure frameset page that masks a secure page display this annoying pop-up box? (i.e. must the frameset page also be https?) Many Thanks! -Bill
Wildman,
Even with IE it varies depending on the security setting. However if your frameset page is a secure page, then I think it might require all frames to be HTTPS as well.
Here’s the solution, make sure everything points to https, including some things that you may have forgotten about, like I did:
1. javascript external scripts – make the src attribute point to https
2. embedded objects – e.g. Flash, make sure the external references like CODEBASE and PLUGINSPAGE also point to https
3. external css files – same as the js
4. fix any iframe source references
Now within the external javascript files themselves, check any src references or paths WITHIN THOSE FILES. This does not appear to be a requirement for CSS files that have url() references to images (they work fine with relative paths).
Also, BIG TIP:
** Use Firefox / Tools / “Page Info” / “Media” tab, which will tell you which external references are relative, http://, or https://. Super helpful. Once you find the relative paths for external scripts fix those, and then go into those scripts themselves and fix any paths in there.
Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you !!!!!!
The reason for the problem is that some of the code (such as Google AdSense code) is making a link to a server in the non-secure mode (http), rather than in the secure (https) mode. When the page runs in the browser, you get the warning message, and nothing you can do to the code can change the problem as the problem is at the source-server, not your server.
If you are adding your IFRAME dynamically, it is important that you set the SRC attribute *before* you add the IFRAME element to your document’s DOM tree. Otherwise IE will generate the security warning, regardless of what you set the SRC attribute to. For more info, see this bug report that describes the same issue and how they resolved it:
http://xinha.python-hosting.com/ticket/114
-Tom
Hey! My website is:
http://www.everafterrabbitry.com
I am still having trouble. It is on a HTTPS but, i have the error even offline when I’m editting my webpage it talks about an active X and then online it talks about the non secure.
can anyone help? thanks
Fantastic! It was indeed the src attribute in an IFRAME. once i set to a dummy url, the dialog disappeared. Thanks for sharing the tip. Iam going to hotlink this page in my blog.
our site is on https, i’m not using any iframe or flash even then its popping up.
i’m getting the pop up twice while pressing the button. Any solution for this plz share it..
@Tom Metro: You saved my day!
The sequence in which the iframe is added to the document dynamically is probably why there is so much confusion that some have a solution and some still have problems even though they use the right .src!
IrFan and Tom Metro
THAT is the solution. Setting the src programmatically before creating the element.
Thank you both!
I ran into this issue due to the src of the (for flash object) was referring to the codebase and plugin through http. In IE, this would trip it up, but firefox handled it ok… as the user above described, changing it to https will get rid of the error and not cause any issues with the page loading.
BTW, this behaviour is consistent in IE5-7.
Thanks Scott for creating a forum like place for this tiny yet very very annoying issue and providing with a solution.
Thanks to Paul Geerts too for coming up with cleaner approach.
Hi All,
Thanks a lot for such a nice discussion.
Want to add that I am facing the same problem.
I hvn’t use IFrame or the hardcoded path of images or anything in my code, but I am facing the problem.
Is there any open source tool by which I can check that what unsecure item is causing the problem.
Do anybody have suggession on this.
Many Thanks
I am having the same problem with my website. i used a web.com to set up my website and use a template for my pages which provides no support for this issue. because of the templates i havent had to write hardly any code except or my ads, and site add ons. but i dont have any flash players or anything like that. the “do you want to display the nonsecure items” message started coming up after I inputed RSS feeds into my website. So I assume that might have to do with the problem. How do I go about fixing this?
i dont have any iframe or other things in my jsp still my application pop up that nonsecure dialog box…………..please help
For those of you who want to stop the pop-up when it’s on other websites.
Step 1: Go to Tool >> Internet Options
Step 2: Select the “Security” Tab and then click on the “Custom Level” button
Step 3: Scroll down until you see the option: “Display mixed content”. Sect the option “Enable”
Step 4: Click Ok, Then you will get a “Security Warning” pop-up. Click Yes
Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you Thank you
Thanks a lot. It fixed my security popup with iframe, after putting src attribute as “blank.html”. But that solves only secure site starting with https.
But my code is same for both https and http. So if the site is not secure site, starting with http, I get “Page Not Found” error when using blank.html. Is there any workaround for http sites.
Please let me know..
Thanks
I’m using a hidden iframe for control reasons, and was already using the .src attribute for references to a dummy.htm, but during dev found that dummy.htm did not actually need to exist, so I never bothered creating it. All was fine until transfer to live https, when “non-secure” warning started appearing. Fixed when I added an empty dummy.htm.
Hello All,
I’m going crazy.
My problem does not belong to a website.
In Windows Explorer (and not Internet Explorer) I’ve got this popup each time a right click on .zip file located on my private network.
It only happen with right click on .zip file not located on my computer.
I tried the #50 advice above with Internet Explorer and Intranet feature, and it didn’t solve anything.
Please, help me…. :(
;)
Lim.
Add a comment
Gravatar is used. Email address is required but will not be displayed. Please keep your comment on topic. No spamming and/or bad language. First time poster will be moderated. Scott reserves the right to delete/edit your comments.
Playground is the personal weblog of Scott Yang, a Chinese-Australian Christian who works as a software developer in Sydney Australia.
Scott
This is THE problem I am also facing on my web site. Because of this my application, which is very much perfect in all other requirements specs. Customer is not accepting it. I tried every possible thing, but in vein.
I have already given SRC to all the IFRAMES I am using. I still get that ugly message.
Do you have anything else in your mind as a solution to this?