Forums

Home » Liferay Portal » English » 3. Development

Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
Krista M Leopold
Security Warning - Mixed Mode in IE
July 13, 2011 6:54 AM
Answer

Krista M Leopold

Rank: New Member

Posts: 24

Join Date: October 6, 2009

Recent Posts

Howdy,

My website is a secure site that is served over https. Whenever an IE user hits my home page, they see the Security Warning dialog:

"Do you want to view only the webpage content that was delivered securely?
This webpage contains content that will not be delivered using a secure HTTPS connection, which could compromise the security of the webpage."

I have combed through my site and none of my content is brought in using http:// --- all links are relative to the server, so using HttpWatch I can see that every resource i serve on the page comes via https.

A little research has shown that some javascript functions can cause this dialog to pop-up. However, I am not a javascript programmer, and the number of lines of javascript being served (using Classic Theme) is too big for me to sift through. Is anyone aware of where this problem might be occuring? For reference, I found this list of javascript functions that will cause the dialog:

From http://blog.httpwatch.com/2009/09/17/even-more-problems-with-the-ie-8-mixed-content-warning/:

1// Causes mixed content message in IE on a secure page
2document.write("<script id="__ie_onload" src="javascript:void(0)"></script>");
3document.getElementById("__ie_onload").onreadystatechange = function()
4{
5     if (this.readyState == "complete") domReady();
6};


Here’s the criteria:

■page is being requested in SSL mode
■div has a background image in the form url(/path/to/image.extension)
■the use of the removeChild function


String url = ‘/application/processImage.do?img=path/to/image.png’;

IE fails with this link, and shows mixed content error. Problematic is img parameter, which contains path to file and file name with extension… There are two workarounds for this:
1. make url absolute (use javascript, to avoid hardcoded strings)
String url = location.protocol + ‘//’ + location.domain + ‘/application/processImage.do?img=path/to/image.png’;

2. add another parameter at the end of url:
String url = ‘/application/processImage.do?img=path/to/image.png&anotherParameter=value’;

Mixed content message is not shown anymore.


There are more suggestions, but I'm not as inclined to think they apply to my configuration. I'm going to start sifting, but I really appreciate any thoughts or experience you have had with this bug.

Thanks!
Krista
David H Nebinger
RE: Security Warning - Mixed Mode in IE
July 13, 2011 8:10 AM
Answer

David H Nebinger

Rank: Liferay Legend

Posts: 6254

Join Date: September 1, 2006

Recent Posts

I get the mixed mode error also on my secured site. I agree it must be in the javascript, but who knows at what level: Liferay, AUI, YUI, or one of the other JS libs...
Krista M Leopold
RE: Security Warning - Mixed Mode in IE
July 13, 2011 8:43 AM
Answer

Krista M Leopold

Rank: New Member

Posts: 24

Join Date: October 6, 2009

Recent Posts

Exactly -- which level? It's a needle in a haystack, and I have to find it or we're kind of screwed. emoticon

I'm inclined to elevate this to a bug. Unless someone can show me that it's not.
David H Nebinger
RE: Security Warning - Mixed Mode in IE
July 13, 2011 10:05 AM
Answer

David H Nebinger

Rank: Liferay Legend

Posts: 6254

Join Date: September 1, 2006

Recent Posts

I think it's probably a bug and should be reported as such...

In the meantime, you'll probably have to find and resolve the issue yourself. Fiddler is a tool that might help with this, YMMV.
David H Nebinger
RE: Security Warning - Mixed Mode in IE
July 13, 2011 10:28 AM
Answer

David H Nebinger

Rank: Liferay Legend

Posts: 6254

Join Date: September 1, 2006

Recent Posts

Just tried fiddler on my site. All content appears to be SSL-based except for the google ads...

You should probably try fiddler on your own before jumping to a bug; it might not be LR's fault necessarily, depending upon your javascript and other resource usage. At least it may point to the source of your insecure activity...