page contains both secure and nonsecure items When setting locationin IE6

Discussion in 'Javascript' started by DBLWizard, Jun 27, 2008.

  1. DBLWizard

    DBLWizard Guest

    Howdy All,

    I'm fighting with IE on a secure site where I am trying to set the
    location of a frame from within javascript using code similar to this.

    sHref = "DocumentViewPDF.asp?DocumentType=<%=sDocumentType
    %>&Instrument=" + sInstrument;
    objFrameImage = window.top.frames['fraImage'];
    objFrameImage.location = sHref;

    IE 6 throws up this message that says "This page contains both secure
    and nonsecure items.". None of the other browsers seem to have this
    problem including IE7. Is there a way to fix this?

    Thanks

    dbl
    DBLWizard, Jun 27, 2008
    #1
    1. Advertising

  2. DBLWizard wrote:
    > I'm fighting with IE on a secure site where I am trying to set the
    > location of a frame from within javascript using code similar to this.
    >
    > sHref = "DocumentViewPDF.asp?DocumentType=<%=sDocumentType
    > %>&Instrument=" + sInstrument;
    > objFrameImage = window.top.frames['fraImage'];
    > objFrameImage.location = sHref;
    >
    > IE 6 throws up this message that says "This page contains both secure
    > and nonsecure items.". None of the other browsers seem to have this
    > problem including IE7. Is there a way to fix this?


    Short answer: It's not a J(ava)Script problem. And it's not a bug, it's a
    feature.

    Long answer:

    Probably the server-side ASP script, triggered with the client-side
    assignment here, redirects to a non-SSL HTTP resource, inevitably
    establishing another, insecure (i.e. unencrypted and unauthenticated) HTTP
    connection, which IE/MSHTML warns you about.

    While you could simply disable the setting that triggers this behavior (in
    Internet Options, Security or Advanced tab), the only way to prevent the
    message from appearing reliably in all clients is not do to that, and to
    perform server-side URL rewrite (proxying) instead.

    How that can be done depends on your server and is off-topic here, on-topic
    e.g. in comp.infosystems.www.servers.* instead.


    PointedEars
    --
    var bugRiddenCrashPronePieceOfJunk = (
    navigator.userAgent.indexOf('MSIE 5') != -1
    && navigator.userAgent.indexOf('Mac') != -1
    ) // Plone, register_function.js:16
    Thomas 'PointedEars' Lahn, Jun 27, 2008
    #2
    1. Advertising

  3. DBLWizard

    DBLWizard Guest

    Re: page contains both secure and nonsecure items When settinglocation in IE6

    On Jun 27, 4:19 pm, Thomas 'PointedEars' Lahn <>
    wrote:
    > DBLWizard wrote:
    > > I'm fighting with IE on a secure site where I am trying to set the
    > > location of a frame from within javascript using code similar to this.

    >
    > > sHref = "DocumentViewPDF.asp?DocumentType=<%=sDocumentType
    > > %>&Instrument=" + sInstrument;
    > > objFrameImage = window.top.frames['fraImage'];
    > > objFrameImage.location = sHref;

    >
    > > IE 6 throws up this message that says "This page contains both secure
    > > and nonsecure items.". None of the other browsers seem to have this
    > > problem including IE7. Is there a way to fix this?

    >
    > Short answer: It's not a J(ava)Script problem. And it's not a bug, it's a
    > feature.
    >
    > Long answer:
    >
    > Probably the server-side ASP script, triggered with the client-side
    > assignment here, redirects to a non-SSL HTTP resource, inevitably
    > establishing another, insecure (i.e. unencrypted and unauthenticated) HTTP
    > connection, which IE/MSHTML warns you about.
    >
    > While you could simply disable the setting that triggers this behavior (in
    > Internet Options, Security or Advanced tab), the only way to prevent the
    > message from appearing reliably in all clients is not do to that, and to
    > perform server-side URL rewrite (proxying) instead.
    >
    > How that can be done depends on your server and is off-topic here, on-topic
    > e.g. in comp.infosystems.www.servers.*instead.
    >
    > PointedEars
    > --
    > var bugRiddenCrashPronePieceOfJunk = (
    > navigator.userAgent.indexOf('MSIE 5') != -1
    > && navigator.userAgent.indexOf('Mac') != -1
    > ) // Plone, register_function.js:16


    Thomas,

    To claify this is on a site with an SSL certificate and I never
    declared it as a bug, only that I wanted to bypass it somehow. The
    DocumentView.asp streams a pdf down to the page and no where no how am
    I directing to a non SSL resouce. I have even tried putthing the
    absolute https://sitename/DocumentView.asp on the location and that
    doesn't change it.

    Thanks

    dbl
    DBLWizard, Jun 28, 2008
    #3
  4. Re: page contains both secure and nonsecure items When setting locationin IE6

    DBLWizard wrote:
    > Thomas 'PointedEars' Lahn wrote:
    >> DBLWizard wrote:
    >>> I'm fighting with IE on a secure site where I am trying to set the
    >>> location of a frame from within javascript using code similar to this.
    >>> sHref = "DocumentViewPDF.asp?DocumentType=<%=sDocumentType
    >>> %>&Instrument=" + sInstrument;
    >>> objFrameImage = window.top.frames['fraImage'];
    >>> objFrameImage.location = sHref;
    >>> IE 6 throws up this message that says "This page contains both secure
    >>> and nonsecure items.". None of the other browsers seem to have this
    >>> problem including IE7. Is there a way to fix this?

    >> Short answer: It's not a J(ava)Script problem. And it's not a bug, it's a
    >> feature.
    >>
    >> Long answer:
    >>
    >> Probably the server-side ASP script, triggered with the client-side
    >> assignment here, redirects to a non-SSL HTTP resource, inevitably
    >> establishing another, insecure (i.e. unencrypted and unauthenticated) HTTP
    >> connection, which IE/MSHTML warns you about.
    >>
    >> While you could simply disable the setting that triggers this behavior (in
    >> Internet Options, Security or Advanced tab), the only way to prevent the
    >> message from appearing reliably in all clients is not do to that, and to
    >> perform server-side URL rewrite (proxying) instead.
    >>
    >> How that can be done depends on your server and is off-topic here, on-topic
    >> e.g. in comp.infosystems.www.servers.*instead.
    >> [...]

    >
    > [...]
    > To claify this is on a site with an SSL certificate and I never
    > declared it as a bug,


    You implied that it was a problem *of* IE, i.e. a bug. It's not.

    > only that I wanted to bypass it somehow.


    Why would you want to bypass a Good Thing?

    > The DocumentView.asp streams a pdf down to the page and no where no how
    > am I directing to a non SSL resouce. I have even tried putthing the
    > absolute https://sitename/DocumentView.asp on the location and that
    > doesn't change it.


    No surprise here because it matters what ASP does, not how it is invoked.

    Again, it's most certainly _not_ a problem with your posted script code (a
    quick test with <a href="..." target="fraImage">foo</a> probably shows).
    (But then, alas you posted only "similar" code.)

    So unless you have a server-side JScript script in ASP here that you need
    help about, your problem is *off-topic* here. But even then a newsgroup or
    forum dedicated to ASP (.NET) would be a better choice, as the ASP experts
    are *there*.

    In order to have a chance to receive further helpful replies here and
    *elsewhere*, I strongly suggest you learn how to post properly in Usenet:

    <http://www.jibbering.com/faq/#FAQ2_3>


    PointedEars
    --
    var bugRiddenCrashPronePieceOfJunk = (
    navigator.userAgent.indexOf('MSIE 5') != -1
    && navigator.userAgent.indexOf('Mac') != -1
    ) // Plone, register_function.js:16
    Thomas 'PointedEars' Lahn, Jun 28, 2008
    #4
  5. DBLWizard

    DBLWizard Guest

    Re: page contains both secure and nonsecure items When settinglocation in IE6

    Ok I'm not sure if your dense or what. This is a clientside problem
    not a server side problem. This is running in a onload of one page
    that is in an adjacent frame. The code I have presented here is
    EXACTLY the code that is causing the problem. I'm not trying to GET
    AROUND anything. I am trying to figure out why IE6 is the only
    browser that seems to have a problem with this code. Yes I implied it
    is an problem in IE. And as I am not connecting to an unsecured
    resouce I guess I would it is presenting false information to user.

    Let me give you another example of a similar "problem". IE6 gives the
    same message with the following code:

    function showImage(sredirection){
    {
    var newwin = window.open("", "",
    "toolbar=0,location=0,directories=0,status=1,menubar=0,scrollbars=0,resizable=0,maximized=1")
    newwin.location.href = "DocumentView.asp" + sredirection
    newwin.focus();
    }

    But does not when the code looks like this:

    function showImage(sredirection){
    {
    var newwin = window.open("DocumentView.asp" + sredirection, "",
    "toolbar=0,location=0,directories=0,status=1,menubar=0,scrollbars=0,resizable=0,maximized=1")
    newwin.focus();
    }

    Now I don't know if you call that a bug or not. But its inconsistent
    at the least.
    Another example is if you initialize a frame with no source like this
    IE 6 throws up a message about secure and unsecure information on the
    same page:

    <frame scrolling="no" name="fraImage" src="">

    But if you create a "blank" html page as a place holder it is ok.

    <frame scrolling="no" name="fraImage" src="blank.htm">

    Again, I'm not trying to deceive the user. I believe i am getting
    this message erroneously and want to find someway as in the above
    examples to get the message to go away.

    On Jun 28, 4:16 am, Thomas 'PointedEars' Lahn <>
    wrote:
    > DBLWizard wrote:
    > > Thomas 'PointedEars' Lahn wrote:
    > >> DBLWizard wrote:
    > >>> I'm fighting with IE on a secure site where I am trying to set the
    > >>> location of a frame from within javascript using code similar to this.
    > >>> sHref = "DocumentViewPDF.asp?DocumentType=<%=sDocumentType
    > >>> %>&Instrument=" + sInstrument;
    > >>> objFrameImage = window.top.frames['fraImage'];
    > >>> objFrameImage.location = sHref;
    > >>> IE 6 throws up this message that says "This page contains both secure
    > >>> and nonsecure items.". None of the other browsers seem to have this
    > >>> problem including IE7. Is there a way to fix this?
    > >> Short answer: It's not a J(ava)Script problem. And it's not a bug, it's a
    > >> feature.

    >
    > >> Long answer:

    >
    > >> Probably the server-side ASP script, triggered with the client-side
    > >> assignment here, redirects to a non-SSL HTTP resource, inevitably
    > >> establishing another, insecure (i.e. unencrypted and unauthenticated) HTTP
    > >> connection, which IE/MSHTML warns you about.

    >
    > >> While you could simply disable the setting that triggers this behavior (in
    > >> Internet Options, Security or Advanced tab), the only way to prevent the
    > >> message from appearing reliably in all clients is not do to that, and to
    > >> perform server-side URL rewrite (proxying) instead.

    >
    > >> How that can be done depends on your server and is off-topic here, on-topic
    > >> e.g. in comp.infosystems.www.servers.*instead.
    > >> [...]

    >
    > > [...]
    > > To claify this is on a site with an SSL certificate and I never
    > > declared it as a bug,

    >
    > You implied that it was a problem *of* IE, i.e. a bug. It's not.
    >
    > > only that I wanted to bypass it somehow.

    >
    > Why would you want to bypass a Good Thing?
    >
    > > The DocumentView.asp streams a pdf down to the page and no where no how
    > > am I directing to a non SSL resouce. I have even tried putthing the
    > > absolutehttps://sitename/DocumentView.aspon the location and that
    > > doesn't change it.

    >
    > No surprise here because it matters what ASP does, not how it is invoked.
    >
    > Again, it's most certainly _not_ a problem with your posted script code (a
    > quick test with <a href="..." target="fraImage">foo</a> probably shows).
    > (But then, alas you posted only "similar" code.)
    >
    > So unless you have a server-side JScript script in ASP here that you need
    > help about, your problem is *off-topic* here. But even then a newsgroup or
    > forum dedicated to ASP (.NET) would be a better choice, as the ASP experts
    > are *there*.
    >
    > In order to have a chance to receive further helpful replies here and
    > *elsewhere*, I strongly suggest you learn how to post properly in Usenet:
    >
    > <http://www.jibbering.com/faq/#FAQ2_3>
    >
    > PointedEars
    > --
    > var bugRiddenCrashPronePieceOfJunk = (
    > navigator.userAgent.indexOf('MSIE 5') != -1
    > && navigator.userAgent.indexOf('Mac') != -1
    > ) // Plone, register_function.js:16
    DBLWizard, Jun 28, 2008
    #5
  6. DBLWizard

    DBLWizard Guest

    Re: page contains both secure and nonsecure items When settinglocation in IE6

    Ok,

    I have further diagnosed the problem. It's not client side as I
    originally suspected. So to Thomas I owe an apology. But your
    attitude that I was trying to do something wrong or sneek something by
    the user really irritated me. As you can see from the post below I'm
    not. It has something to do with the streamed PDF ... so I post this
    information to show where the problem was but also to acknowledge
    that this forum is not the appropriate location to search a result.

    The DocumentView.PDF page streamed down a PDF to the requesting
    browser, when I remove that code and simply render HTML there is not a
    problem. Here is what the DocumentViewPDF page looks
    like:
    <%
    Dim objPDF
    Dim sDocumentType
    Dim sInstrument

    sDocumentType = Request.QueryString("DocumentType") & ""
    sInstrument = Request.QueryString("Instrument") & ""

    If Len(sDocumentType) > 0 AND Len(sInstrument) > 0 Then
    Set objPDF = Server.CreateObject("LEImage.clsPXCPDF")
    Response.ContentType = "application/pdf"

    Response.AddHeader "Content-disposition", _
    "inline; filename=" + StripOutPage(sInstrument) + "_doc.pdf"
    Response.BinaryWrite objPDF.GetDocumentPDF(sDocumentType,
    sInstrument, "")

    Set objPDF = Nothing
    Response.End
    Else
    Response.Write "Invalid querystring parameters!
    <br>sDocumentType:" & sDocumentType & "**<br/>" & _
    "sInstrument:" & sInstrument & "**"
    Response.End
    End If
    %>

    Thanks dbl


    On Jun 28, 1:55 pm, DBLWizard <> wrote:
    > Ok I'm not sure if your dense or what. This is a clientside problem
    > not a server side problem. This is running in a onload of one page
    > that is in an adjacent frame. The code I have presented here is
    > EXACTLY the code that is causing the problem. I'm not trying to GET
    > AROUND anything. I am trying to figure out why IE6 is the only
    > browser that seems to have a problem with this code. Yes I implied it
    > is an problem in IE. And as I am not connecting to an unsecured
    > resouce I guess I would it is presenting false information to user.
    >
    > Let me give you another example of a similar "problem". IE6 gives the
    > same message with the following code:
    >
    > function showImage(sredirection){
    > {
    > var newwin = window.open("", "",
    > "toolbar=0,location=0,directories=0,status=1,menubar=0,scrollbars=0,resizable=0,maximized=1")
    > newwin.location.href = "DocumentView.asp" + sredirection
    > newwin.focus();
    >
    > }
    >
    > But does not when the code looks like this:
    >
    > function showImage(sredirection){
    > {
    > var newwin = window.open("DocumentView.asp" + sredirection, "",
    > "toolbar=0,location=0,directories=0,status=1,menubar=0,scrollbars=0,resizable=0,maximized=1")
    > newwin.focus();
    >
    > }
    >
    > Now I don't know if you call that a bug or not. But its inconsistent
    > at the least.
    > Another example is if you initialize a frame with no source like this
    > IE 6 throws up a message about secure and unsecure information on the
    > same page:
    >
    > <frame scrolling="no" name="fraImage" src="">
    >
    > But if you create a "blank" html page as a place holder it is ok.
    >
    > <frame scrolling="no" name="fraImage" src="blank.htm">
    >
    > Again, I'm not trying to deceive the user. I believe i am getting
    > this message erroneously and want to find someway as in the above
    > examples to get the message to go away.
    >
    > On Jun 28, 4:16 am, Thomas 'PointedEars' Lahn <>
    > wrote:
    >
    > > DBLWizard wrote:
    > > > Thomas 'PointedEars' Lahn wrote:
    > > >> DBLWizard wrote:
    > > >>> I'm fighting with IE on a secure site where I am trying to set the
    > > >>> location of a frame from within javascript using code similar to this.
    > > >>> sHref = "DocumentViewPDF.asp?DocumentType=<%=sDocumentType
    > > >>> %>&Instrument=" + sInstrument;
    > > >>> objFrameImage = window.top.frames['fraImage'];
    > > >>> objFrameImage.location = sHref;
    > > >>> IE 6 throws up this message that says "This page contains both secure
    > > >>> and nonsecure items.". None of the other browsers seem to have this
    > > >>> problem including IE7. Is there a way to fix this?
    > > >> Short answer: It's not a J(ava)Script problem. And it's not a bug, it's a
    > > >> feature.

    >
    > > >> Long answer:

    >
    > > >> Probably the server-side ASP script, triggered with the client-side
    > > >> assignment here, redirects to a non-SSL HTTP resource, inevitably
    > > >> establishing another, insecure (i.e. unencrypted and unauthenticated) HTTP
    > > >> connection, which IE/MSHTML warns you about.

    >
    > > >> While you could simply disable the setting that triggers this behavior (in
    > > >> Internet Options, Security or Advanced tab), the only way to prevent the
    > > >> message from appearing reliably in all clients is not do to that, and to
    > > >> perform server-side URL rewrite (proxying) instead.

    >
    > > >> How that can be done depends on your server and is off-topic here, on-topic
    > > >> e.g. in comp.infosystems.www.servers.*instead.
    > > >> [...]

    >
    > > > [...]
    > > > To claify this is on a site with an SSL certificate and I never
    > > > declared it as a bug,

    >
    > > You implied that it was a problem *of* IE, i.e. a bug. It's not.

    >
    > > > only that I wanted to bypass it somehow.

    >
    > > Why would you want to bypass a Good Thing?

    >
    > > > The DocumentView.asp streams a pdf down to the page and no where no how
    > > > am I directing to a non SSL resouce. I have even tried putthing the
    > > > absolutehttps://sitename/DocumentView.asponthe location and that
    > > > doesn't change it.

    >
    > > No surprise here because it matters what ASP does, not how it is invoked.

    >
    > > Again, it's most certainly _not_ a problem with your posted script code (a
    > > quick test with <a href="..." target="fraImage">foo</a> probably shows).
    > > (But then, alas you posted only "similar" code.)

    >
    > > So unless you have a server-side JScript script in ASP here that you need
    > > help about, your problem is *off-topic* here. But even then a newsgroup or
    > > forum dedicated to ASP (.NET) would be a better choice, as the ASP experts
    > > are *there*.

    >
    > > In order to have a chance to receive further helpful replies here and
    > > *elsewhere*, I strongly suggest you learn how to post properly in Usenet:

    >
    > > <http://www.jibbering.com/faq/#FAQ2_3>

    >
    > > PointedEars
    > > --
    > > var bugRiddenCrashPronePieceOfJunk = (
    > > navigator.userAgent.indexOf('MSIE 5') != -1
    > > && navigator.userAgent.indexOf('Mac') != -1
    > > ) // Plone, register_function.js:16
    DBLWizard, Jun 28, 2008
    #6
  7. Re: page contains both secure and nonsecure items When setting locationin IE6

    DBLWizard wrote:
    > I have further diagnosed the problem. It's not client side as I
    > originally suspected.


    I have said that right from the start, have I not? I am really not the one
    beating the already grounded, but had you properly read and followed my
    advice in the first place you could have spared yourself and this group a
    lot of trouble.

    > So to Thomas I owe an apology.


    Please do.

    > But your attitude that I was trying to do something wrong > or sneek something by the user really irritated me.


    I never implied any of that! I merely said it was not a bug, i.e. not a
    problem of the user agent but of the underlying programming of the Web
    application. You really should read less into postings.

    > [top post of a top post]


    And finally learn to quote.

    <http://jibbering.com/faq/>


    Score adjusted

    PointedEars
    --
    Prototype.js was written by people who don't know javascript for people
    who don't know javascript. People who don't know javascript are not
    the best source of advice on designing systems that use javascript.
    -- Richard Cornford, cljs, <f806at$ail$1$>
    Thomas 'PointedEars' Lahn, Jun 28, 2008
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Brent Burkart
    Replies:
    1
    Views:
    341
    Rob Meade
    Jan 27, 2004
  2. A.M
    Replies:
    5
    Views:
    5,436
    Teemu Keiski
    Jun 8, 2004
  3. Replies:
    2
    Views:
    4,197
  4. Mantorok
    Replies:
    2
    Views:
    10,893
    Mantorok
    Apr 21, 2006
  5. =?Utf-8?B?cGF0cmlja2RyZA==?=

    masterpages and secure and nonsecure items warning

    =?Utf-8?B?cGF0cmlja2RyZA==?=, Jun 14, 2007, in forum: ASP .Net
    Replies:
    10
    Views:
    823
    Alan Silver
    Jun 18, 2007
Loading...

Share This Page