S
Stan Brown
I don't know what's tripping it at Webex, but since I never use MSIE
*except* for Webex I don't care.
I just chose the easiest methodto make the message go away,
FWIW, the link is https and not http.
*except* for Webex I don't care.
I just chose the easiest methodto make the message go away,
FWIW, the link is https and not http.
K
KCB
I saw this just today with IE9 on Win7, but not Chrome on Win7, and not IE8Char Jackson said:
or Chrome on XP. Clear as mud?
IE9 consistently gave me the 'do you want to view all content?' popup,
while none of the other combinations did. One other thing I noticed was
that IE9 was the only one to NOT display the opening ad screen for the page,
while all the others DID show the ad. Maybe the popup is related to the ad?
The URL is:
http://www.womansday.com/Articles/Life/11-Funny-Fine-Print-Warnings.html
C
Char Jackson
At the moment, I can only test Firefox 3 and IE 8 on XP, and neither
of them popped the warning. (IE is set to prompt for mixed content.)
I'll try IE 8 on Win7 when I get a chance. Thanks for the link.
X
XS11E
Multiple, try http://www.azcentral.comChar Jackson said:
I can't recall most since it's been a long time since I fixed it but it
seems to have been random sites and pretty intermittant as far as I
recall?
X
XS11E
See reply to Char Jackson and it had nothing to do with "financial"VanguardLH said:
sites, any site that felt like popping up the warning would do so.
C
Char Jackson
I can't duplicate the security warning popup on the URL above, nor
could I duplicate it on the link someone else posted to this thread
yesterday, so I'll just keep an eye out and see if it happens
eventually. I have to say, though, in all these years that I've been
web surfing I don't remember a 'mixed content' security warning when
the base URL was not secure.
V
VanguardLH
Can you show my the HTML/Javascript/PHP/other code contained within aXS11E said:
web page that would force IE to popup this warning? I'm talking about
IE's own alert dialog, not a window, frame, or CSS that pretends to be a
dialog presented by IE.
IE's "mixed content" alert dialog is triggered by a web page where
content is delivered via both HTTPS and HTTP.
I cannot address what IE9 might do since I don't have it. The OP only
mentioned having Windows 7, not that he also upgraded from IE8 to IE9.
Neither at the womensday or azcentral sites with IE8 (changed to Prompt
on mixed content) did I get a prompt; however, in both cases, the
example URLs given where not using the HTTPS protocol. I did not
inspect the source of these delivered web pages to see if HTTPS was
involved in delivering any of their content. Typically you visit an
HTTPS site which then delivers some content via HTTP to get the mixed
content prompt.
Are you using IE9 when these mixed content prompts appear (despite it
appearing you are not navigating to the site using HTTPS)?
Look at http://msdn.microsoft.com/en-us/library/ee264315(v=vs.85).aspx
under the "The Improved Prompt" section. Is this still the same prompt
you see in IE9? It explicitly states that this prompt appears when
unsecure content (HTTP) is delivered when you have or are trying to
visit a secure page (HTTPS).
Under the section titled "Suppressing the Mixed Content Warning (for Web
Developers)", it says "within a HTTPS page, never include a link to a
HTTP-delivered resource." Neither of the example URLs given by you meet
this criteria because HTTP was used to visit the web page, not HTTPS.
The article mentions using Fiddler to look at the protocol for all
content delivered by a web page and I happen to have that installed. I
visited the womensday site (with mixed content option set to Prompt
instead of Block) and looked at Fiddler. I also had to disable my
blocking of unwanted/ad/pest sites so this site could use doubleclick,
intellitxt, yieldmanager, and other tracking services. Nope, not one of
the content delivered by that web page was using HTTPS. They all used
just HTTP. So there was no mixed content. Then I went to the azcentral
site. No HTTPS content there, either, just all HTTP so there was no
mixed content.
X
XS11E
No, since it no longer occurs nor am I willing to spend more time onVanguardLH said:
it, it's fixed.
Nor I although I've had it multiple times, always dropped back to
IE8 as IE9 has caused too many problems, I'm guessing that'll be
taken care of in the future but I'm not going back to IE9 until
maybe September to let MSFT fix the bugs.
As pointed out previously, HTTPS content was NOT required to trigger
the warning.
C
Char Jackson
Then what was 'mixed' about it? You'd think there had to be some mixed
content in order to trigger the mixed content warning, or so it would
seem.
X
XS11E
I don't know, my point is and has been that no mixed content wasChar Jackson said:
required, the warning just popped up whenever it felt like it.
But it isn't a bug, it's a FEATURE!
It's turned off now so I'm happy.
V
VanguardLH
You might want to get Fiddler2. It doesn't stay resident. Instead, itXS11E said:
adds a button you can add to the toolbar. When you hit a page you want
to more info about, click on the Fiddler2 toolbar button and then
refresh the web page (Fiddler2 captures traffic as it's sent). I don't
like the Developer Tools that comes in IE8 but then I'm developing web
pages at a level where such a diag tool would be needed. Fiddler gives
me more basic web traffic info.
With Fiddler installed and at a the ready, when it happens again you can
use Fiddler to see if there really is any mixed content (HTTPS + HTTP).
Does that mean the mixed content option is set to disabled (to block any
unsecure content in an HTTPS web page)? If so, well yeah, you won't see
the prompt anymore. That's how I have it set up; however, one of the
articles I mentioned illustrates how a site may not function properly
because the developer(s) had scripts, CSS, or something else linked
using HTTP in the HTTPS page. While you get the alert (if the option is
set to Prompt), I don't recall that it tells you specifically what it
consided unsecure.
X
XS11E
It's set to enabled.VanguardLH said:
It doesn't, that makes it pretty useless IMHO.
V
VanguardLH
Oh, so you want the unsecure content (which means it could be modifiedXS11E said:
and often isn't regulated by the site since it is merely piped through
their site unaltered and unmonitored). Okay, your choice.
It's an on or off thing with little [useful] explanation. It's like the
idiot gauge on your dash that lights up when the oil pressure is low.
It doesn't tell you if the oil is depleted, if the oil pump isn't
delivering enough pressure, or if the oil pressure sensor is defective.
All it does is warn you that something is wrong but whether or not it
really is requires further investigation by you beyond the flickering
dash lamp.
K
KCB
I went to the womansday site with IE9, and again got a popup, but it is notVanguardLH said:
the one you reference in an earlier post. It says 'Only secure content is
displayed.' there is a button to Show all content. Nothing on the page is
missing as far as I can tell. This only happens with IE9; I haven't been
able to get any other browser to do it. Here's a picture:
http://img862.imageshack.us/i/ie9warn.png/
V
VanguardLH
Too tiny for me to view. I tried clicking on the magnifier button butKCB said:
the site doesn't like that I block advertising content hence some of its
scripts. I got an error about newuploader_ad.php not found so my
blocking is killing their PHP script or not allowing that page to call
the script. Good, the blocking is working. Or their web page or script
is screwed up. If instead I click on the small image, I'm taken to
their upload home page. Starting to look like their script is screwed
up or they are w-a-y too tethered to advertising the blocking of which
renders their site useless.
I downloaded the .png and was able to enlarge it to see the bottom
infobar. It looks like Microsoft pared down the big prompt window to
just an infobar with a Show All button as the temporary override.
I looked at some of the source code at the womansday page. I noticed
the following:
<!-- Begin Google Analytics -->
<script type="text/javascript">
var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-17610754-1']);
_gaq.push(['_setDomainName', '.womansday.com']);
_gaq.push(['_trackPageview']);
(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();
</script>
<!-- End Google Analytics -->
Well, well, here we have HTTPS getting involved so the site can use
Google's Analytics to track your browsing. I have the analytics sites
block in my ad blocker so if anything shows up it is an error about an
object not being defined (I block the site so scripts from there cannot
run on the page that I visit).
I saw something about IE8 where visiting a page via HTTP which had an
iframe that used HTTPS was okay (the frame content was still secure and
not mixed). IE9 doesn't like this. Here is Nathan's analysis in a
forum post:
Forum post:
http://answers.microsoft.com/en-us/...isplayed/9c56c734-696a-4f2f-ac12-1f07426cd823
OK, here's the difference I was able to identify.
An insecure (http) page (A) includes an iFrame. The iFrame loads a
secure (https) page, B. Page B includes an insecure (http) script
file (C).
In earlier versions of IE, and in all tested versions of Firefox,
Chrome, Safari, and Opera, this does not cause any problem. In IE9,
we get the "Only secure content is displayed" block.
So IE9's behavior is different (and more aggressive) than in IE8, or
earlier versions, or it's a bug. Even if I had the mixed content option
set to Enabled, I still would be blocking the Google Analytics scripts,
anyway (and why I see the error icon at the left of IE's status bar,
like the "bootloader.php is undefined" which I recognize as being caused
by me blocking some of Google's sites).
X
XS11E
Yup, I've only been at this since Windows 3.0 and never had anyVanguardLH said:
malware, never saw a BSOD, either. It really pays to RTFM I guess?
I suppose if I ever do encounter any I'll observe a bit more security
but I see no reason to do so now. My AV works, my MalwareBytes works
and I spend less than 20 hours/day on porn sites so it all works
out.....