Saturday, June 18, 2005

Ajax: IE IFrame Bug

Some of my IE users were seeing a, "mixed secure and insecure content," warning. After looking everywhere for a style sheet, web page, image or script loaded via HTTP instead of HTTPS, I tracked the problem down to an iframe missing the src attribute (the attribute was set dynamically later on by Javascript). The correct solution is not for the client to lower their security settings. Mixing insecure (HTTP) and secure (HTTPS) content can defeat the security of the secure content. A truly secure web site should use HTTPS from the first page to the last and not cut security corners for the sake of performance. You can work around the issue by setting the src attribute to a blank page instead (this results in one more request, but it's a lot less annoying than the warning).

10 Comments:

Anonymous breadcrust said...

I guess the bug must result from IE actually loading an internal empty page (about:blank?), which is not secure, and it doesnt check that it shouldnt count as an actual page loaded in the iirame.

10:41 AM  
Anonymous George said...

Thanks, Bob. This post was very helpful diagnosing problems using the autocompleter from the script.aculo.us and prototype javascript libraries on IE over https (SSL). I just had to change their src="javascript:" to src="actualPage.asp" and it worked.

Thanks for posting this.

12:46 PM  
Anonymous george said...

Try this:

src="javascript:false;"

2:38 PM  
Blogger Richard Cook said...

I am only including the prototype script and I cannot find any iframe tags inside of it but I still get the errors. Any thoughts?

4:17 PM  
Blogger Bob said...

If you load your page using HTTPS, you must also load the prototype script using HTTPS.

5:13 PM  
Blogger Richard Cook said...

The script is being loaded with an https:// beginning.

10:31 AM  
Blogger Bob said...

You might use a debugging proxy to watch the requests.

10:58 AM  
Blogger Richard Cook said...

I used fiddler and saw that there was a request to "/" with an IP of 0.0.0.0 that came up red. There is a script call on about line 3988 that goes

document.write("script id=_onDOMContentLoaded defer src=//:

I didn't know if this was an empty call for the src and the javascript fills it in later or what.

3:19 PM  
Blogger Richard Cook said...

http://groups.google.com/group/rubyonrails-spinoffs/browse_thread/thread/7daae29348b1c258?hl=en

12:20 PM  
Blogger Richard Cook said...

Sorry, hit the submit button before I added comments. Another user found that a piece of code for detecting if DOM was loaded for IE was what was causing it. Since we're not using that part, I commented out the code and everything is good to go. I also got a message from the prototype guys that the next version will run differently to detect DOM for IE to fix the issue. Thanks for all of your help.

12:22 PM  

Post a Comment

Links to this post:

Create a Link

<< Home