Menu
I have these errors in IE9 on my site:
SEC7111: HTTPS security is compromised by res://ieframe.dll/dnserrordiagoff.htm
SEC7111: HTTPS security is compromised by res://ieframe.dll/ErrorPageTemplate.css
SEC7111: HTTPS security is compromised by res://ieframe.dll/errorPageStrings.js
SEC7111: HTTPS security is compromised by res://ieframe.dll/httpErrorPagesScripts.js
SEC7111: HTTPS security is compromised by res://ieframe.dll/noConnect.png
SEC7111: HTTPS security is compromised by res://ieframe.dll/bullet.png
I know this error arises because of I am trying to get http content via https protocol. But I can't see anywhere in the page where this could be caused.
I investigated that this problem might be solved by customizing the browser, but this isn't a good solution.
Does anyone know what is causing these errors?
535
A client of mine had the SEC7111: HTTPS security is compromised by res://ieframe.dll/ problem recently in various versions of IE up to and including IE11 - and possibly Edge too but now it's fixed I cannot check easily - and the issue was unrelated to X-Frame-Options, all sites involved used SSL and there were no mixed http + https content errors.
In this case the root of the problem was Internet Explorer security zone trust levels. The company I work for run a large web app for a large organisation with a corporate domain, and our app is hosted using a subdomain eg crm.egcorporate.com.
The client also have their intranet and public website on www and other subdomains of egcorporate.com. They also use a 3rd party online Learning Management System eg eglms.com which on same pages iframes some content from crm.egcorporate.com, which worked fine on the staging environments for both systems, but in production caused errors for the corporate users but only when using IE on a machine connected to their domain controller.
The problem was because in their Active Directory group policy settings, they had *.egcorporate.com set to Local intranet security zone, and eglms.com was set to Trusted sites security zone. Because the production URL for our app was on a subdomain of their AD domain, it inherited Local intranet trust settings in IE, which meant IE would not allow the LMS at the lower Trusted level to iframe intranet content. But the daftness of IE11 is that it tries to display its res://ieframe.dll/... embedded error pages to tell us this, but then blocks itself from displaying its own error pages which is what the SEC7111 errors are then telling us.
In our case the solution was for the corporate IT guys to add a more specific crm.egcorporate.com Trusted sites zone rule to their AD group policy (and have users log out + log in again), so that the iframed content and the framing site were both seen as the same trust level by IE.
The reason that we did not see the same issue in staging was because we use a URL like egcorporate.staging.mycompany.com which obviously was not covered by their intranet security zone settings.
112
Another thing to check is that you do not have the header X-Frame-Options set to deny as show:
X-Frame-Options:DENY
Also see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
1
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
