Forum Moderators: phranque
"this page contains content that will not be delivered using a secure HTTPS connection..."
I thought I had everything properly targeted, with relative paths, and I can't figure out which content on the page are not-HTTPS.
When I click "Yes" meaning I only want to see secure content, I get the whole page. nothing is missing. scripts all work. graphics are all there. Even the GA Analytics script seems to be working fine.
I even browsed the site with Fiddler, to show me all the HTTP requests, but whenI load the page all I see are a lot of CONNECT requests, over HTTP (not HTTPS) that return 200 OK. I don't see any of the page content requests at all. So that was no help. Mind you I'm pretty new at using Fiddler and perhaps there's a setting I haven't configured...
So, how do I find out *which* content is triggering the IE error dialog?
Perhaps worth noting that Firefox does't complain at all
I've tried commenting out suspicious sections of the page (Google Anaytics, 3rd party images, and a SWF), but still the error persists.
Everything on my page is being sent with HTTPS. The only requests going HTTP are the CONNECT requests. The only URLs on my page that aren't from my own domain are those for ssl.google-analytics.com, and I know that's not the problem because I removed that code from the page yet still got the security warning.
Now another detail - when I detect someone has navigated to
http://www.example.com/secure.php
I send them a 301 redirection to
https://www.example.com/secure.php
Could the redirection be causing any problems?
I was going to jump on Flash and G.A., these are usually the ones that get overlooked. Is it possible IE is caching the old versions? Test a page without commenting, physically remove G.A. (you've done) and Flash objects. You wouldn't think a comment would still kick it, but who knows, maybe it's a security thing to avoid hacking the SSL via malformed comment code.
If you have a full valid doctype, is it maybe the doctypl URL? Yes I am grasping straws here . . . .
I guess if it can't be eliminated this way, go old school on it and begin eliminating elements one by one.
I removed this:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
and replaced it all with a simple <html>.
yeah, it messed up my layout in a big way, but the security warning still popped up.
Ctrl-F and looked through the page source for the letters "http". They don't appear anywhere. All my CSS backgrounds and <script>s are relative paths.
I'm running out of things to remove on the page. LOL
when I turn off scripting, the error goes away.
I'm getting warmer...
A Javascript
was creating an instance of a class
defined in another script file
which created an element
then injected it into the DOM
then called another function
which set a CSS "background" property for that element
and used this string as the value of the property:
'/images/element_background.png'
The javascript file itself was loaded using HTTPS, and the image path was relative. That's why I didn't see it at first. But when this line of script created a new Element and applied a new CSS property, the browser made its request for the background image using HTTP, not HTTPS.
To fix the problem, I had to fudge in an absolute path:
(('https:'==document.location.protocol)?'https:':'http:') + '//www.example.com/images/element_background.png'
now the security warning is gone and I am happy.
I know that's not the problem because I removed that code from the page yet still got the security warning.
Unless you have proof that only one http request is being made, then removing a piece of code tells you nothing if the problem remains (because there could be two or more faults and you may have succeeded in eliminating one of them).
Kaled.
The tactic that finally worked was to disable all scripts - then narrowing it down by first commenting out all my <script> tags, then uncommenting them one at a time until the error came back.
btw, to comment out the scripts, I used PHP to completely eradicate those elements from the output, using my favourite "if false" method:
<?php if(false){ ?>
<script src='blahblahblah1.js'></script>
<script src='blahblahblah2.js'></script>
<script src='blahblahblah3.js'></script>
<?php } ?>
IMHO it is a bug in IE. When I dynamically add an element to the DOM of an HTTPS page, the CSS assets for that element should also be requested with HTTPS. They're not.
