Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Only secure content is displayed

Our company website (ASP.Net 3.5) uses SSL to secure the checkout pages. Users are getting the "Only secure content is displayed" message at the bottom of IE. Many of them freak out and abandon their cart and we loose a sale. The secure contect is in a subfolder and IIS7 is configured to require SSL on that subfolder. I used the IE dev toolbar to try to see what causes this and get the following:

SEC7111: HTTPS security is compromised by http://www.myCompany.com/WebResource.axd?d=dJde0NlmEkubWa-RO0uUtg2&t=633833944103732959 
Login.aspx
SEC7111: HTTPS security is compromised by http://www.myCompany.com/ScriptResource.axd?d=-4ipYW6oMR5JKr02ccZdGEkLMeXnvSWAqFrG98oQ5--7NMeKPsjwSVXJeHzqvzhsd1bLH85MgJQdnNYNUNH1gAXPGD9gbk2fwYnJI-0eaw41&t=ffffffffa6437166 
Login.aspx
SEC7111: HTTPS security is compromised by http://www.myCompany.com/ScriptResource.axd?d=-4ipYW6oMR5JKr02ccZdGEkLMeXnvSWAqFrG98oQ5--7NMeKPsjwSVXJeHzqvzhsvkt8QvjGkHw2IYbLkF5RHr1t21TH0EEkLDcUGVpdxdE1&t=ffffffffa6437166 
Login.aspx

We also had a bunch of offending javascript files but worked around those by copying them into the secure directory. That made Chrome and Firefox happy but we still get the message with IE.

How can I stop the popup and keep from scaring my customers away?

like image 466
Sisiutl Avatar asked Jul 06 '11 18:07

Sisiutl


3 Answers

Just change those urls to https.

Now, those script resources look like they're automatically generated by .NET, so you may have to jump through some hoops to do that...

[Edit] Hoisting this up from my comment:

Some guy suggests changing the uri in global.asax on Application_BeginRequest

like image 102
canon Avatar answered Sep 27 '22 20:09

canon


Headache saver... thank you for mentioning IE developer tools. Like many I do most of my testing with firefox and leave IE to last (can't beat firebug!). BUT The way that they've improved IE I think I may be rethinking that strategy! After all most of the world still used IE too.

The developer tools found this line in my css that was giving me the security violations ... simply fixed by changing to https

@import url(http://fonts.googleapis.com/css?family=Gudea);

to

SEC7111: HTTPS security is compromised by http://fonts.googleapis.com/css?family=Gudea onepage
SEC7111: HTTPS security is compromised by http://fonts.googleapis.com/css?family=Gudea onepage

like image 21
ircsome Avatar answered Sep 27 '22 19:09

ircsome


We ended up using SecuritySwitch http://code.google.com/p/securityswitch/wiki/GettingStarted, which works perfectly.

like image 26
Sisiutl Avatar answered Sep 27 '22 21:09

Sisiutl