I'm trying to use PIE.htc on a site that's served via https. The fixes it implements work perfectly. The problem is that no matter what I've tried, IE (version 6 in this case) raises the infamous "This page contains both secure and nonsecure items" alert.

Everything on the page is served from the same server, host, and domain. With no style references to PIE.htc, there's no warning. With one or more references to PIE.htc, there are (always exactly) two security warnings. Looking at the page before dismissing the dialog, it appears that the style have been successfully applied, despite the warning.

Note that this is NOT the "Internet Explorer has restricted this web page from running scripts..." warning. The script does run. It's just the security warning that's the problem.

What I've tried:

- Referencing PIE.htc from a relative URL
- Referencing it from a root-relative URL
- Referencing it from a protocol-relative URL (e.g. "//www.example.com/js/PIE.htc")
- Referencing it from an absolute URL (e.g. "https://www.example.com/js/PIE.htc")
- Putting PIE.htc in the same directory as the page on which it's used
- Adding the "Mark of the Web" comments to both the htc file and the page from which it's served
- Ensuring that the MIME type is set correctly on the apache server from which it's delivered (it is)

None of it helps.

It's been a tricky problem to research, but I did read something (which now I can't find) indicating that the manipulations performed by scripts like this one are somehow performed in an IE security zone that is by definition not the same as the zone in which an https page is running. Details were sketchy, though.

It's hard to believe nobody's tried to use PIE.htc on a site that works over SSL, so the search for solutions goes on.

Any suggestions?

Thanks for the thorough analysis, it really helps eliminate the "easy" stuff. I have to admit I've not used PIE myself over https, so I can't even verify that it does work properly. If you could help me debug a little bit:

1) You said this is in IE6; have you tried IE7 and/or IE8 to see if the problem occurs there as well?
2) Can you edit your copy of PIE.htc, find the string "url(about:blank)" and replace it with "none", and let me know if that helps? It's just a hunch.

I can confirm replacing url(about:blank) with url(none) works for IE6 (sp3), IE7, and IE8 when serving pages using SSL.

Jason, your suggestion did indeed solve the problem. Much obliged.

Thanks for trying that. I've opened ticket http://github.com/lojjic/PIE/issues/issue/69 to track getting this fixed.

Just to update this and make sure the best solution is implemented: It appears that the "url(none)" fix, while solving the immediate problem of the security warning in IE, creates a new issue. When the element to which the PIE.htc behavior is being applied is animated (imagine, for example, a rounded-corner DIV whose height is increased on mouseover), a multitude of requests for the invalid url "/none" are issued.

I'm not familiar with how css3PIE works, but I assume the layout change triggers a (near-continuous) series of updates to re-draw the affected areas, IE-style. So a slow animation over a couple of seconds may result in, for example, a thousand http requests for the nonexistent /none.

Here's a Stackoverflow question pertaining to this issue and the use of url(none): http://stackoverflow.com/questions/1161061/css-background-image-urlnone-leading-to-errors-in-apache-log-file.

Perhaps instead of

it should be

@rumkeg: Yes, sorry if I was unclear, you should have replaced "url(about:blank)" with "none", not with "url(none)". They are very different values.

Although the workaround seems to resolve the security warning, it seems to have a nasty knock on effect for us.

We use jQuery as well. With the workaround in place, whenever we try and click on a text field we're getting some bizarre jQuery errors.
The error emanates from the depths of jquery and is not very descriptive.

e.g. jquery 1.6.1

Line: 2968
Error: Failed

It's almost like the DOM element has become invalid?
Not at all clear what is going on.

Any ideas?
Thanks
Martin

I couldn't resolve why the workaround to replace url(about:blank) with 'none', is causing jQuery issues. As an alternative workaround, I've replaced the call to about:blank with a call to a url on our server which just returns empty content with a long expiry. This seems to resolve the issue.

Oldish thread I know...

I've just tripped over this same problem using IE6, https and CSS3 PIE (in Opencart). Just to note that IE7/8/9 are unaffected.

Thanks to the posters above for the fix. I've replaced url(about:blank) with none as described and this has fixed the problem. I've taken the additional precaution of creating a separate version of PIE.htc which I'm serving to IE6 via conditional comments and a separate stylesheet, just to avoid any issues resulting from this affecting IE7+ users. I'm also using jQuery but haven't seen any issues as mbayly describes.

There seems to have been no updates to the bug report, I'm guessing this might not happen given the fact that IE6 is nearly defunct.