Project

General

Profile

Bug #299

IE security warnings pop up on every page load

Added by Chris Buechler over 9 years ago. Updated over 9 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Web Interface
Target version:
Start date:
01/15/2010
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.0
Affected Architecture:

Description

In IE 8 (possibly other IE versions, 8 is all I've tried), every page load results in:

Security Warning
Do you want to view only the webpage content that was delivered securely?
This webpage contains content that will not be delivered using a secure HTTPS connection

Except the warning is apparently completely false - the page source shows nothing being pulled from HTTP, and even when telling it to pull "insecure" content, it never makes any HTTP requests at all from watching Wireshark with a filter on 80 and 443 to all hosts, all the traffic is HTTPS. The pages appear and function no differently regardless of whether you tell IE to load the "insecure" content or not.

Seems like an IE bug, but ~21% of the visitors to our website use IE (and hence probably the same using the web interface), that's too big of a chunk of users to write off an annoying pop up on every page load.

1.2.3 doesn't do this. It's independent of compatibility mode, does it with it on or off.

Associated revisions

Revision 7b7e5b30 (diff)
Added by Chris Buechler over 9 years ago

remove commented out bit that causes annoying pop ups in IE. Ticket #299

History

#1 Updated by Ermal Lu├ži over 9 years ago

Can this http://tinyurl.com/r3klju be the case?!

#2 Updated by Jim Pingle over 9 years ago

After watching the page load several times with HTTPWatch in IE and experimenting, I think I have at least narrowed this down. I don't see how, but it's sorttable.js.

If I rename sorttable.js, clear the cache, and reload the page, I get no warning. If I move sorttable.js back and refresh, the warning pops back up.

At no time is any non-HTTPS URL even requested, but something in that .js file is apparently throwing IE off enough that it thinks it isn't secure.

#3 Updated by Leon Straathof over 9 years ago

Verified the last post, this bug is still valid. Did not dive into the script yet but i am sure that it does do something illigal for an https environment. Don't know if this has high priority but since it has something to do with the security of the system (which is pretty vital for a router/firewall) i think i it should get some more attention.
I will try to figure out my self what is going wrong can't make any promises that i will find the cause.

#4 Updated by Leon Straathof over 9 years ago

This piece of commented code is the problem:

/* for Internet Explorer /
/
cc_on /
/
if (@_win32)
document.write("<script id=__ie_onload defer src=javascript:void(0)><\/script>");
var script = document.getElementById("__ie_onload");
script.onreadystatechange = function() {
if (this.readyState == "complete") {
sorttable.init(); // call the onload handler
}
};
/*@end
*/

Since it is commented it could be removed which solves the problem, however if it is temporarily commented and should be used in the future remove the src=javascript:void(0) because that is the real cause that cannot be used in a script tag when using it trough https.

regards,

Leon.

#5 Updated by Chris Buechler over 9 years ago

  • Status changed from New to Resolved

fixed, thanks for finding that Leon.

Also available in: Atom PDF