How to overcome this security issue

Question

I have implemented an ajax-polling script that calls an action in the server Controller every 10 seconds. With the response, I replace the content of a div:

function getFoo() {     var link = '/Secure/GetFoo';      $.post(link, function (response) {         $('#FooSection').replaceWith(response);     });      setTimeout("getFoo();", 10000); } 

This is done through https. After some time of being "idle", IE displays the following message:

This page is accessing information that is not under its control. This poses a security risk. Do you want to continue?

If the user clicks Yes, the page is redirected to the div displaying the response only. If the user clicks No, nothing happens, but the div container will not be refreshed.

I know I can suppress this message through browser settings, but that will just bring me to a default Yes selection as per the above dialog.

A similar issue has been asked before, but unfortunately there hasn't been any solution. I basically want to make my ajax-polling work even on a secure connection. Any ideas?

Answer 1

You should never see that dialog on an Internet-Zone page. By default, this operation is silently and automatically blocked in the Internet Zone.

There are two root causes for that dialog to appear in the Intranet zone:

1> Attempting to do a cross-origin request using the XMLHTTPRequest object (http://blogs.msdn.com/b/ieinternals/archive/2011/04/22/ie-security-prompt-page-accessing-cross-domain-information-not-under-its-control.aspx)

2> Attempting to navigate an OBJECT Tag hosting HTML to a cross origin page.

You can avoid case #1 by using XDomainRequest instead of XMLHTTPRequest. You can avoid case #2 by using an IFRAME instead of an OBJECT tag.