I manage an e-commerce site running under SSL.
The problem is happening on the final page of my site's shopping cart that loads under SSL. The problem is that Internet Explorer 8.0 (including version 8.0.6001.18702 and other versions of IE8, but reportedly not all versions of IE8) complain about at least one non-secure element loading, which is scaring away some of my prospective customers. IE8 displays a dialogue box after the page has apparently fully loaded (with seemingly no missing images) that says:
"Security Warning: Do you want to view only the web page content that was delivered securely? This webpage contains content that will not be delivered using a secure HTTPS connection, which could compromise the security of the entire web page. (YES/NO)"
I tried to track down all invalid images and links that may be loading via HTTP, but no to avail. Firebug Lite shows nothing non-secure. I'm starting to think this may be a bug within IE8 that was corrected in IE9, which does not complain.
TO REPRODUCE THIS ERROR: Click here using IE8 (or Chrome) to add an item to your shopping cart. On the resulting page, click on the GREEN button on the right that says, "Proceed to Secure Checkout." You will notice that you see the above "Security Warning" from IE8.
QUESTION: How can I determine what the browser is attempting to load non-securely, or how can I suppress the "Warning" message?
UPDATE: It seems the "Security Warning" is due to the suspended JavaScript execution on this page. But the same question still remains. How can the "Security Warning" message be suppressed or "debugged"?
Wireshark is usually pure overkill if its used to debug standard web browser based applications because it provides way to many information which are usually not required to exactly pinpoint the problem. A much better solution in this case would be to use Fiddler which is a simple yet a very powerful debugging proxy which is, aside from its many useful functionalities, also able to clearly distinguish between SSL and non-SSL traffic.
Its also able to simulate a "man in the middle" testing environment which effectively allows it to decipher SSL traffic. Of course the generated "on the fly" certificate is clearly marked as untrusted in all browsers to prevent misusing it.
EDIT: I followed the given instructions in order to provoke the problem yet I had no problems with any kind of security warnings in IE8. Also Fiddler is showing that all the resources are loaded through SSL.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With