Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How To Tell What Files IE Thinks Are "nonsecure"?

We have a CMS system whose web interface gets served over HTTPS. This works beautifully for Firefox, but when we load it in IE6 or IE7, it complains that "This page contains both secure and nonsecure items."

I've loaded the page in Firefox and checked with Firebug, and every connection seems to be going through HTTPS, as should be the case.

Is there any way to tell what is causing IE to throw this apparently spurious error?

like image 939
Sean McMains Avatar asked Sep 18 '08 20:09

Sean McMains


5 Answers

Firefox has a number of bugs in mixed content detection. Generally you should try using Fiddler to spot insecure resources.

If you install a tool I wrote (www.bayden.com/dl/scriptfreesetup.exe) you will get a different mixed content prompt which shows the exact URL of the first insecure resource on the page. That tool is basically a prototype and you should uninstall it when you're done with it.

like image 65
EricLaw Avatar answered Oct 15 '22 00:10

EricLaw


Use Fiddler to watch the traffic between the server and IE.

Be sure to go to Tools > Fiddler Options... > HTTPS > and check 'Decrypt HTTPS traffic'

Any non-HTTPS traffic generated between any server and IE should be easy to spot in the Web Sessions list.

like image 30
Grant Wagner Avatar answered Oct 15 '22 00:10

Grant Wagner


I used Eric's tool (thanks Eric you saved me hours...) and it turns out that IE6 treats a background image specified with a relative path as nonsecure content. Even though it actually requests it over https. So if you're stumped - converting your relative paths to absolute ones might really help...

like image 3
BigMikeW Avatar answered Oct 15 '22 00:10

BigMikeW


Are one or more resources (CSS url-image ref overlooked easily) pointing to a subdomain that's not covered by the certificate (https://www.example.com vs https://static.example.com)?

like image 2
micahwittman Avatar answered Oct 15 '22 02:10

micahwittman


If you can't see anything that isn't using SSL, then this is usually down to a broken SSL certificate somewhere. I don't know of anything off-hand that will tell you what exactly what the problem is, but you can get a list of everything that's loaded easily enough.

The media tab on Firefox's 'page info' dialog (right click on the page) will do it, it might also be worth having a go with Fiddler (which is an excellent, and extremely useful piece of software).

like image 1
Dan Avatar answered Oct 15 '22 01:10

Dan