Forums
View unanswered posts | View active topics It is currently Thu Oct 17, 2019 7:13 pm



Reply to topic  [ 10 posts ] 
 "Secure and nonsecure" Warning 
Author Message

Joined: Thu Aug 19, 2010 1:23 pm
Posts: 3
Post "Secure and nonsecure" Warning
I'm trying to use PIE.htc on a site that's served via https. The fixes it implements work perfectly. The problem is that no matter what I've tried, IE (version 6 in this case) raises the infamous "This page contains both secure and nonsecure items" alert.

Everything on the page is served from the same server, host, and domain. With no style references to PIE.htc, there's no warning. With one or more references to PIE.htc, there are (always exactly) two security warnings. Looking at the page before dismissing the dialog, it appears that the style have been successfully applied, despite the warning.

Note that this is NOT the "Internet Explorer has restricted this web page from running scripts..." warning. The script does run. It's just the security warning that's the problem.

What I've tried:

- Referencing PIE.htc from a relative URL
- Referencing it from a root-relative URL
- Referencing it from a protocol-relative URL (e.g. "//www.example.com/js/PIE.htc")
- Referencing it from an absolute URL (e.g. "https://www.example.com/js/PIE.htc")
- Putting PIE.htc in the same directory as the page on which it's used
- Adding the "Mark of the Web" comments to both the htc file and the page from which it's served
- Ensuring that the MIME type is set correctly on the apache server from which it's delivered (it is)

None of it helps.

It's been a tricky problem to research, but I did read something (which now I can't find) indicating that the manipulations performed by scripts like this one are somehow performed in an IE security zone that is by definition not the same as the zone in which an https page is running. Details were sketchy, though.

It's hard to believe nobody's tried to use PIE.htc on a site that works over SSL, so the search for solutions goes on.

Any suggestions?


Thu Aug 19, 2010 1:40 pm
Profile

Joined: Wed Jul 14, 2010 11:46 am
Posts: 1452
Post Re: "Secure and nonsecure" Warning
Thanks for the thorough analysis, it really helps eliminate the "easy" stuff. I have to admit I've not used PIE myself over https, so I can't even verify that it does work properly. If you could help me debug a little bit:

1) You said this is in IE6; have you tried IE7 and/or IE8 to see if the problem occurs there as well?
2) Can you edit your copy of PIE.htc, find the string "url(about:blank)" and replace it with "none", and let me know if that helps? It's just a hunch.


Fri Aug 20, 2010 12:40 pm
Profile

Joined: Tue Aug 24, 2010 5:33 am
Posts: 1
Post Re: "Secure and nonsecure" Warning
I can confirm replacing url(about:blank) with url(none) works for IE6 (sp3), IE7, and IE8 when serving pages using SSL. :D


Tue Aug 24, 2010 5:35 am
Profile

Joined: Thu Aug 19, 2010 1:23 pm
Posts: 3
Post Re: "Secure and nonsecure" Warning
Jason, your suggestion did indeed solve the problem. Much obliged.


Tue Aug 24, 2010 2:25 pm
Profile

Joined: Wed Jul 14, 2010 11:46 am
Posts: 1452
Post Re: "Secure and nonsecure" Warning
Thanks for trying that. I've opened ticket http://github.com/lojjic/PIE/issues/issue/69 to track getting this fixed.


Wed Aug 25, 2010 10:17 am
Profile

Joined: Thu Aug 19, 2010 1:23 pm
Posts: 3
Post Re: "Secure and nonsecure" Warning
Just to update this and make sure the best solution is implemented: It appears that the "url(none)" fix, while solving the immediate problem of the security warning in IE, creates a new issue. When the element to which the PIE.htc behavior is being applied is animated (imagine, for example, a rounded-corner DIV whose height is increased on mouseover), a multitude of requests for the invalid url "/none" are issued.

I'm not familiar with how css3PIE works, but I assume the layout change triggers a (near-continuous) series of updates to re-draw the affected areas, IE-style. So a slow animation over a couple of seconds may result in, for example, a thousand http requests for the nonexistent /none.

Here's a Stackoverflow question pertaining to this issue and the use of url(none): http://stackoverflow.com/questions/1161061/css-background-image-urlnone-leading-to-errors-in-apache-log-file.

Perhaps instead of
Code:
a.backgroundImage="url(none)"

it should be
Code:
a.backgroundImage="none"


Tue Aug 31, 2010 3:04 pm
Profile

Joined: Wed Jul 14, 2010 11:46 am
Posts: 1452
Post Re: "Secure and nonsecure" Warning
@rumkeg: Yes, sorry if I was unclear, you should have replaced "url(about:blank)" with "none", not with "url(none)". They are very different values.


Tue Aug 31, 2010 3:27 pm
Profile

Joined: Wed Jul 27, 2011 3:28 pm
Posts: 2
Post Re: "Secure and nonsecure" Warning
Although the workaround seems to resolve the security warning, it seems to have a nasty knock on effect for us.

We use jQuery as well. With the workaround in place, whenever we try and click on a text field we're getting some bizarre jQuery errors.
The error emanates from the depths of jquery and is not very descriptive.

e.g. jquery 1.6.1

Line: 2968
Error: Failed

It's almost like the DOM element has become invalid?
Not at all clear what is going on.

Any ideas?
Thanks
Martin


Wed Jul 27, 2011 3:51 pm
Profile

Joined: Wed Jul 27, 2011 3:28 pm
Posts: 2
Post Re: "Secure and nonsecure" Warning
I couldn't resolve why the workaround to replace url(about:blank) with 'none', is causing jQuery issues. As an alternative workaround, I've replaced the call to about:blank with a call to a url on our server which just returns empty content with a long expiry. This seems to resolve the issue.


Thu Jul 28, 2011 10:17 am
Profile

Joined: Tue Jan 31, 2012 1:22 pm
Posts: 1
Post Re: "Secure and nonsecure" Warning
Oldish thread I know...

I've just tripped over this same problem using IE6, https and CSS3 PIE (in Opencart). Just to note that IE7/8/9 are unaffected.

Thanks to the posters above for the fix. I've replaced url(about:blank) with none as described and this has fixed the problem. I've taken the additional precaution of creating a separate version of PIE.htc which I'm serving to IE6 via conditional comments and a separate stylesheet, just to avoid any issues resulting from this affecting IE7+ users. I'm also using jQuery but haven't seen any issues as mbayly describes.

There seems to have been no updates to the bug report, I'm guessing this might not happen given the fact that IE6 is nearly defunct.


Tue Jan 31, 2012 1:27 pm
Profile
Display posts from previous:  Sort by  
Reply to topic   [ 10 posts ] 

Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Designed by STSoftware for PTF.