Our company website (ASP.Net 3.5) uses SSL to secure the checkout pages. Users are getting the "Only secure content is displayed" message at the bottom of IE. Many of them freak out and abandon their cart and we loose a sale. The secure contect is in a subfolder and IIS7 is configured to require SSL on that subfolder. I used the IE dev toolbar to try to see what causes this and get the following:
SEC7111: HTTPS security is compromised by http://www.myCompany.com/WebResource.axd?d=dJde0NlmEkubWa-RO0uUtg2&t=633833944103732959
Login.aspx
SEC7111: HTTPS security is compromised by http://www.myCompany.com/ScriptResource.axd?d=-4ipYW6oMR5JKr02ccZdGEkLMeXnvSWAqFrG98oQ5--7NMeKPsjwSVXJeHzqvzhsd1bLH85MgJQdnNYNUNH1gAXPGD9gbk2fwYnJI-0eaw41&t=ffffffffa6437166
Login.aspx
SEC7111: HTTPS security is compromised by http://www.myCompany.com/ScriptResource.axd?d=-4ipYW6oMR5JKr02ccZdGEkLMeXnvSWAqFrG98oQ5--7NMeKPsjwSVXJeHzqvzhsvkt8QvjGkHw2IYbLkF5RHr1t21TH0EEkLDcUGVpdxdE1&t=ffffffffa6437166
Login.aspx
We also had a bunch of offending javascript files but worked around those by copying them into the secure directory. That made Chrome and Firefox happy but we still get the message with IE.
How can I stop the popup and keep from scaring my customers away?
Just change those urls to https.
Now, those script resources look like they're automatically generated by .NET, so you may have to jump through some hoops to do that...
[Edit] Hoisting this up from my comment:
Some guy suggests changing the uri in global.asax on Application_BeginRequest
Headache saver... thank you for mentioning IE developer tools. Like many I do most of my testing with firefox and leave IE to last (can't beat firebug!). BUT The way that they've improved IE I think I may be rethinking that strategy! After all most of the world still used IE too.
The developer tools found this line in my css that was giving me the security violations ... simply fixed by changing to https
@import url(http://fonts.googleapis.com/css?family=Gudea);
to
SEC7111: HTTPS security is compromised by http://fonts.googleapis.com/css?family=Gudea onepage
SEC7111: HTTPS security is compromised by http://fonts.googleapis.com/css?family=Gudea onepage
We ended up using SecuritySwitch http://code.google.com/p/securityswitch/wiki/GettingStarted, which works perfectly.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With