Bug #299
closed
IE security warnings pop up on every page load
0%
Description
In IE 8 (possibly other IE versions, 8 is all I've tried), every page load results in:
Security Warning Do you want to view only the webpage content that was delivered securely? This webpage contains content that will not be delivered using a secure HTTPS connection
Except the warning is apparently completely false - the page source shows nothing being pulled from HTTP, and even when telling it to pull "insecure" content, it never makes any HTTP requests at all from watching Wireshark with a filter on 80 and 443 to all hosts, all the traffic is HTTPS. The pages appear and function no differently regardless of whether you tell IE to load the "insecure" content or not.
Seems like an IE bug, but ~21% of the visitors to our website use IE (and hence probably the same using the web interface), that's too big of a chunk of users to write off an annoying pop up on every page load.
1.2.3 doesn't do this. It's independent of compatibility mode, does it with it on or off.
Updated by Ermal Luçi over 14 years ago
Can this http://tinyurl.com/r3klju be the case?!
Updated by Jim Pingle over 14 years ago
After watching the page load several times with HTTPWatch in IE and experimenting, I think I have at least narrowed this down. I don't see how, but it's sorttable.js.
If I rename sorttable.js, clear the cache, and reload the page, I get no warning. If I move sorttable.js back and refresh, the warning pops back up.
At no time is any non-HTTPS URL even requested, but something in that .js file is apparently throwing IE off enough that it thinks it isn't secure.
Updated by Leon Straathof about 14 years ago
Verified the last post, this bug is still valid. Did not dive into the script yet but i am sure that it does do something illigal for an https environment. Don't know if this has high priority but since it has something to do with the security of the system (which is pretty vital for a router/firewall) i think i it should get some more attention.
I will try to figure out my self what is going wrong can't make any promises that i will find the cause.
Updated by Leon Straathof about 14 years ago
This piece of commented code is the problem:
/* for Internet Explorer /
/cc_on /
/if (@_win32)*/
document.write("<script id=__ie_onload defer src=javascript:void(0)><\/script>");
var script = document.getElementById("__ie_onload");
script.onreadystatechange = function() {
if (this.readyState == "complete") {
sorttable.init(); // call the onload handler
}
};
/*@end
Since it is commented it could be removed which solves the problem, however if it is temporarily commented and should be used in the future remove the src=javascript:void(0) because that is the real cause that cannot be used in a script tag when using it trough https.
regards,
Leon.
Updated by Chris Buechler about 14 years ago
- Status changed from New to Resolved
fixed, thanks for finding that Leon.