Bug #299


IE security warnings pop up on every page load

Added by Chris Buechler about 12 years ago. Updated almost 12 years ago.

Web Interface
Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:


In IE 8 (possibly other IE versions, 8 is all I've tried), every page load results in:

Security Warning
Do you want to view only the webpage content that was delivered securely?
This webpage contains content that will not be delivered using a secure HTTPS connection

Except the warning is apparently completely false - the page source shows nothing being pulled from HTTP, and even when telling it to pull "insecure" content, it never makes any HTTP requests at all from watching Wireshark with a filter on 80 and 443 to all hosts, all the traffic is HTTPS. The pages appear and function no differently regardless of whether you tell IE to load the "insecure" content or not.

Seems like an IE bug, but ~21% of the visitors to our website use IE (and hence probably the same using the web interface), that's too big of a chunk of users to write off an annoying pop up on every page load.

1.2.3 doesn't do this. It's independent of compatibility mode, does it with it on or off.

Actions #1

Updated by Ermal Luçi about 12 years ago

Can this be the case?!

Actions #2

Updated by Jim Pingle about 12 years ago

After watching the page load several times with HTTPWatch in IE and experimenting, I think I have at least narrowed this down. I don't see how, but it's sorttable.js.

If I rename sorttable.js, clear the cache, and reload the page, I get no warning. If I move sorttable.js back and refresh, the warning pops back up.

At no time is any non-HTTPS URL even requested, but something in that .js file is apparently throwing IE off enough that it thinks it isn't secure.

Actions #3

Updated by Leon Straathof almost 12 years ago

Verified the last post, this bug is still valid. Did not dive into the script yet but i am sure that it does do something illigal for an https environment. Don't know if this has high priority but since it has something to do with the security of the system (which is pretty vital for a router/firewall) i think i it should get some more attention.
I will try to figure out my self what is going wrong can't make any promises that i will find the cause.

Actions #4

Updated by Leon Straathof almost 12 years ago

This piece of commented code is the problem:

/* for Internet Explorer /
cc_on /
if (@_win32)
document.write("<script id=__ie_onload defer src=javascript:void(0)><\/script>");
var script = document.getElementById("__ie_onload");
script.onreadystatechange = function() {
if (this.readyState == "complete") {
sorttable.init(); // call the onload handler

Since it is commented it could be removed which solves the problem, however if it is temporarily commented and should be used in the future remove the src=javascript:void(0) because that is the real cause that cannot be used in a script tag when using it trough https.



Actions #5

Updated by Chris Buechler almost 12 years ago

  • Status changed from New to Resolved

fixed, thanks for finding that Leon.


Also available in: Atom PDF