Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Javascript > page contains both secure and nonsecure items When setting locationin IE6

Reply
Thread Tools

page contains both secure and nonsecure items When setting locationin IE6

 
 
DBLWizard
Guest
Posts: n/a
 
      06-27-2008
Howdy All,

I'm fighting with IE on a secure site where I am trying to set the
location of a frame from within javascript using code similar to this.

sHref = "DocumentViewPDF.asp?DocumentType=<%=sDocument Type
%>&Instrument=" + sInstrument;
objFrameImage = window.top.frames['fraImage'];
objFrameImage.location = sHref;

IE 6 throws up this message that says "This page contains both secure
and nonsecure items.". None of the other browsers seem to have this
problem including IE7. Is there a way to fix this?

Thanks

dbl
 
Reply With Quote
 
 
 
 
Thomas 'PointedEars' Lahn
Guest
Posts: n/a
 
      06-27-2008
DBLWizard wrote:
> I'm fighting with IE on a secure site where I am trying to set the
> location of a frame from within javascript using code similar to this.
>
> sHref = "DocumentViewPDF.asp?DocumentType=<%=sDocument Type
> %>&Instrument=" + sInstrument;
> objFrameImage = window.top.frames['fraImage'];
> objFrameImage.location = sHref;
>
> IE 6 throws up this message that says "This page contains both secure
> and nonsecure items.". None of the other browsers seem to have this
> problem including IE7. Is there a way to fix this?


Short answer: It's not a J(ava)Script problem. And it's not a bug, it's a
feature.

Long answer:

Probably the server-side ASP script, triggered with the client-side
assignment here, redirects to a non-SSL HTTP resource, inevitably
establishing another, insecure (i.e. unencrypted and unauthenticated) HTTP
connection, which IE/MSHTML warns you about.

While you could simply disable the setting that triggers this behavior (in
Internet Options, Security or Advanced tab), the only way to prevent the
message from appearing reliably in all clients is not do to that, and to
perform server-side URL rewrite (proxying) instead.

How that can be done depends on your server and is off-topic here, on-topic
e.g. in comp.infosystems.www.servers.* instead.


PointedEars
--
var bugRiddenCrashPronePieceOfJunk = (
navigator.userAgent.indexOf('MSIE 5') != -1
&& navigator.userAgent.indexOf('Mac') != -1
) // Plone, register_function.js:16
 
Reply With Quote
 
 
 
 
DBLWizard
Guest
Posts: n/a
 
      06-27-2008
On Jun 27, 4:19 pm, Thomas 'PointedEars' Lahn <(E-Mail Removed)>
wrote:
> DBLWizard wrote:
> > I'm fighting with IE on a secure site where I am trying to set the
> > location of a frame from within javascript using code similar to this.

>
> > sHref = "DocumentViewPDF.asp?DocumentType=<%=sDocument Type
> > %>&Instrument=" + sInstrument;
> > objFrameImage = window.top.frames['fraImage'];
> > objFrameImage.location = sHref;

>
> > IE 6 throws up this message that says "This page contains both secure
> > and nonsecure items.". None of the other browsers seem to have this
> > problem including IE7. Is there a way to fix this?

>
> Short answer: It's not a J(ava)Script problem. And it's not a bug, it's a
> feature.
>
> Long answer:
>
> Probably the server-side ASP script, triggered with the client-side
> assignment here, redirects to a non-SSL HTTP resource, inevitably
> establishing another, insecure (i.e. unencrypted and unauthenticated) HTTP
> connection, which IE/MSHTML warns you about.
>
> While you could simply disable the setting that triggers this behavior (in
> Internet Options, Security or Advanced tab), the only way to prevent the
> message from appearing reliably in all clients is not do to that, and to
> perform server-side URL rewrite (proxying) instead.
>
> How that can be done depends on your server and is off-topic here, on-topic
> e.g. in comp.infosystems.www.servers.*instead.
>
> PointedEars
> --
> var bugRiddenCrashPronePieceOfJunk = (
> navigator.userAgent.indexOf('MSIE 5') != -1
> && navigator.userAgent.indexOf('Mac') != -1
> ) // Plone, register_function.js:16


Thomas,

To claify this is on a site with an SSL certificate and I never
declared it as a bug, only that I wanted to bypass it somehow. The
DocumentView.asp streams a pdf down to the page and no where no how am
I directing to a non SSL resouce. I have even tried putthing the
absolute https://sitename/DocumentView.asp on the location and that
doesn't change it.

Thanks

dbl
 
Reply With Quote
 
Thomas 'PointedEars' Lahn
Guest
Posts: n/a
 
      06-28-2008
DBLWizard wrote:
> Thomas 'PointedEars' Lahn wrote:
>> DBLWizard wrote:
>>> I'm fighting with IE on a secure site where I am trying to set the
>>> location of a frame from within javascript using code similar to this.
>>> sHref = "DocumentViewPDF.asp?DocumentType=<%=sDocument Type
>>> %>&Instrument=" + sInstrument;
>>> objFrameImage = window.top.frames['fraImage'];
>>> objFrameImage.location = sHref;
>>> IE 6 throws up this message that says "This page contains both secure
>>> and nonsecure items.". None of the other browsers seem to have this
>>> problem including IE7. Is there a way to fix this?

>> Short answer: It's not a J(ava)Script problem. And it's not a bug, it's a
>> feature.
>>
>> Long answer:
>>
>> Probably the server-side ASP script, triggered with the client-side
>> assignment here, redirects to a non-SSL HTTP resource, inevitably
>> establishing another, insecure (i.e. unencrypted and unauthenticated) HTTP
>> connection, which IE/MSHTML warns you about.
>>
>> While you could simply disable the setting that triggers this behavior (in
>> Internet Options, Security or Advanced tab), the only way to prevent the
>> message from appearing reliably in all clients is not do to that, and to
>> perform server-side URL rewrite (proxying) instead.
>>
>> How that can be done depends on your server and is off-topic here, on-topic
>> e.g. in comp.infosystems.www.servers.*instead.
>> [...]

>
> [...]
> To claify this is on a site with an SSL certificate and I never
> declared it as a bug,


You implied that it was a problem *of* IE, i.e. a bug. It's not.

> only that I wanted to bypass it somehow.


Why would you want to bypass a Good Thing?

> The DocumentView.asp streams a pdf down to the page and no where no how
> am I directing to a non SSL resouce. I have even tried putthing the
> absolute https://sitename/DocumentView.asp on the location and that
> doesn't change it.


No surprise here because it matters what ASP does, not how it is invoked.

Again, it's most certainly _not_ a problem with your posted script code (a
quick test with <a href="..." target="fraImage">foo</a> probably shows).
(But then, alas you posted only "similar" code.)

So unless you have a server-side JScript script in ASP here that you need
help about, your problem is *off-topic* here. But even then a newsgroup or
forum dedicated to ASP (.NET) would be a better choice, as the ASP experts
are *there*.

In order to have a chance to receive further helpful replies here and
*elsewhere*, I strongly suggest you learn how to post properly in Usenet:

<http://www.jibbering.com/faq/#FAQ2_3>


PointedEars
--
var bugRiddenCrashPronePieceOfJunk = (
navigator.userAgent.indexOf('MSIE 5') != -1
&& navigator.userAgent.indexOf('Mac') != -1
) // Plone, register_function.js:16
 
Reply With Quote
 
DBLWizard
Guest
Posts: n/a
 
      06-28-2008
Ok I'm not sure if your dense or what. This is a clientside problem
not a server side problem. This is running in a onload of one page
that is in an adjacent frame. The code I have presented here is
EXACTLY the code that is causing the problem. I'm not trying to GET
AROUND anything. I am trying to figure out why IE6 is the only
browser that seems to have a problem with this code. Yes I implied it
is an problem in IE. And as I am not connecting to an unsecured
resouce I guess I would it is presenting false information to user.

Let me give you another example of a similar "problem". IE6 gives the
same message with the following code:

function showImage(sredirection){
{
var newwin = window.open("", "",
"toolbar=0,location=0,directories=0,status=1,menub ar=0,scrollbars=0,resizable=0,maximized=1")
newwin.location.href = "DocumentView.asp" + sredirection
newwin.focus();
}

But does not when the code looks like this:

function showImage(sredirection){
{
var newwin = window.open("DocumentView.asp" + sredirection, "",
"toolbar=0,location=0,directories=0,status=1,menub ar=0,scrollbars=0,resizable=0,maximized=1")
newwin.focus();
}

Now I don't know if you call that a bug or not. But its inconsistent
at the least.
Another example is if you initialize a frame with no source like this
IE 6 throws up a message about secure and unsecure information on the
same page:

<frame scrolling="no" name="fraImage" src="">

But if you create a "blank" html page as a place holder it is ok.

<frame scrolling="no" name="fraImage" src="blank.htm">

Again, I'm not trying to deceive the user. I believe i am getting
this message erroneously and want to find someway as in the above
examples to get the message to go away.

On Jun 28, 4:16 am, Thomas 'PointedEars' Lahn <(E-Mail Removed)>
wrote:
> DBLWizard wrote:
> > Thomas 'PointedEars' Lahn wrote:
> >> DBLWizard wrote:
> >>> I'm fighting with IE on a secure site where I am trying to set the
> >>> location of a frame from within javascript using code similar to this.
> >>> sHref = "DocumentViewPDF.asp?DocumentType=<%=sDocument Type
> >>> %>&Instrument=" + sInstrument;
> >>> objFrameImage = window.top.frames['fraImage'];
> >>> objFrameImage.location = sHref;
> >>> IE 6 throws up this message that says "This page contains both secure
> >>> and nonsecure items.". None of the other browsers seem to have this
> >>> problem including IE7. Is there a way to fix this?
> >> Short answer: It's not a J(ava)Script problem. And it's not a bug, it's a
> >> feature.

>
> >> Long answer:

>
> >> Probably the server-side ASP script, triggered with the client-side
> >> assignment here, redirects to a non-SSL HTTP resource, inevitably
> >> establishing another, insecure (i.e. unencrypted and unauthenticated) HTTP
> >> connection, which IE/MSHTML warns you about.

>
> >> While you could simply disable the setting that triggers this behavior (in
> >> Internet Options, Security or Advanced tab), the only way to prevent the
> >> message from appearing reliably in all clients is not do to that, and to
> >> perform server-side URL rewrite (proxying) instead.

>
> >> How that can be done depends on your server and is off-topic here, on-topic
> >> e.g. in comp.infosystems.www.servers.*instead.
> >> [...]

>
> > [...]
> > To claify this is on a site with an SSL certificate and I never
> > declared it as a bug,

>
> You implied that it was a problem *of* IE, i.e. a bug. It's not.
>
> > only that I wanted to bypass it somehow.

>
> Why would you want to bypass a Good Thing?
>
> > The DocumentView.asp streams a pdf down to the page and no where no how
> > am I directing to a non SSL resouce. I have even tried putthing the
> > absolutehttps://sitename/DocumentView.aspon the location and that
> > doesn't change it.

>
> No surprise here because it matters what ASP does, not how it is invoked.
>
> Again, it's most certainly _not_ a problem with your posted script code (a
> quick test with <a href="..." target="fraImage">foo</a> probably shows).
> (But then, alas you posted only "similar" code.)
>
> So unless you have a server-side JScript script in ASP here that you need
> help about, your problem is *off-topic* here. But even then a newsgroup or
> forum dedicated to ASP (.NET) would be a better choice, as the ASP experts
> are *there*.
>
> In order to have a chance to receive further helpful replies here and
> *elsewhere*, I strongly suggest you learn how to post properly in Usenet:
>
> <http://www.jibbering.com/faq/#FAQ2_3>
>
> PointedEars
> --
> var bugRiddenCrashPronePieceOfJunk = (
> navigator.userAgent.indexOf('MSIE 5') != -1
> && navigator.userAgent.indexOf('Mac') != -1
> ) // Plone, register_function.js:16


 
Reply With Quote
 
DBLWizard
Guest
Posts: n/a
 
      06-28-2008
Ok,

I have further diagnosed the problem. It's not client side as I
originally suspected. So to Thomas I owe an apology. But your
attitude that I was trying to do something wrong or sneek something by
the user really irritated me. As you can see from the post below I'm
not. It has something to do with the streamed PDF ... so I post this
information to show where the problem was but also to acknowledge
that this forum is not the appropriate location to search a result.

The DocumentView.PDF page streamed down a PDF to the requesting
browser, when I remove that code and simply render HTML there is not a
problem. Here is what the DocumentViewPDF page looks
like:
<%
Dim objPDF
Dim sDocumentType
Dim sInstrument

sDocumentType = Request.QueryString("DocumentType") & ""
sInstrument = Request.QueryString("Instrument") & ""

If Len(sDocumentType) > 0 AND Len(sInstrument) > 0 Then
Set objPDF = Server.CreateObject("LEImage.clsPXCPDF")
Response.ContentType = "application/pdf"

Response.AddHeader "Content-disposition", _
"inline; filename=" + StripOutPage(sInstrument) + "_doc.pdf"
Response.BinaryWrite objPDF.GetDocumentPDF(sDocumentType,
sInstrument, "")

Set objPDF = Nothing
Response.End
Else
Response.Write "Invalid querystring parameters!
<br>sDocumentType:" & sDocumentType & "**<br/>" & _
"sInstrument:" & sInstrument & "**"
Response.End
End If
%>

Thanks dbl


On Jun 28, 1:55 pm, DBLWizard <(E-Mail Removed)> wrote:
> Ok I'm not sure if your dense or what. This is a clientside problem
> not a server side problem. This is running in a onload of one page
> that is in an adjacent frame. The code I have presented here is
> EXACTLY the code that is causing the problem. I'm not trying to GET
> AROUND anything. I am trying to figure out why IE6 is the only
> browser that seems to have a problem with this code. Yes I implied it
> is an problem in IE. And as I am not connecting to an unsecured
> resouce I guess I would it is presenting false information to user.
>
> Let me give you another example of a similar "problem". IE6 gives the
> same message with the following code:
>
> function showImage(sredirection){
> {
> var newwin = window.open("", "",
> "toolbar=0,location=0,directories=0,status=1,menub ar=0,scrollbars=0,resizable=0,maximized=1")
> newwin.location.href = "DocumentView.asp" + sredirection
> newwin.focus();
>
> }
>
> But does not when the code looks like this:
>
> function showImage(sredirection){
> {
> var newwin = window.open("DocumentView.asp" + sredirection, "",
> "toolbar=0,location=0,directories=0,status=1,menub ar=0,scrollbars=0,resizable=0,maximized=1")
> newwin.focus();
>
> }
>
> Now I don't know if you call that a bug or not. But its inconsistent
> at the least.
> Another example is if you initialize a frame with no source like this
> IE 6 throws up a message about secure and unsecure information on the
> same page:
>
> <frame scrolling="no" name="fraImage" src="">
>
> But if you create a "blank" html page as a place holder it is ok.
>
> <frame scrolling="no" name="fraImage" src="blank.htm">
>
> Again, I'm not trying to deceive the user. I believe i am getting
> this message erroneously and want to find someway as in the above
> examples to get the message to go away.
>
> On Jun 28, 4:16 am, Thomas 'PointedEars' Lahn <(E-Mail Removed)>
> wrote:
>
> > DBLWizard wrote:
> > > Thomas 'PointedEars' Lahn wrote:
> > >> DBLWizard wrote:
> > >>> I'm fighting with IE on a secure site where I am trying to set the
> > >>> location of a frame from within javascript using code similar to this.
> > >>> sHref = "DocumentViewPDF.asp?DocumentType=<%=sDocument Type
> > >>> %>&Instrument=" + sInstrument;
> > >>> objFrameImage = window.top.frames['fraImage'];
> > >>> objFrameImage.location = sHref;
> > >>> IE 6 throws up this message that says "This page contains both secure
> > >>> and nonsecure items.". None of the other browsers seem to have this
> > >>> problem including IE7. Is there a way to fix this?
> > >> Short answer: It's not a J(ava)Script problem. And it's not a bug, it's a
> > >> feature.

>
> > >> Long answer:

>
> > >> Probably the server-side ASP script, triggered with the client-side
> > >> assignment here, redirects to a non-SSL HTTP resource, inevitably
> > >> establishing another, insecure (i.e. unencrypted and unauthenticated) HTTP
> > >> connection, which IE/MSHTML warns you about.

>
> > >> While you could simply disable the setting that triggers this behavior (in
> > >> Internet Options, Security or Advanced tab), the only way to prevent the
> > >> message from appearing reliably in all clients is not do to that, and to
> > >> perform server-side URL rewrite (proxying) instead.

>
> > >> How that can be done depends on your server and is off-topic here, on-topic
> > >> e.g. in comp.infosystems.www.servers.*instead.
> > >> [...]

>
> > > [...]
> > > To claify this is on a site with an SSL certificate and I never
> > > declared it as a bug,

>
> > You implied that it was a problem *of* IE, i.e. a bug. It's not.

>
> > > only that I wanted to bypass it somehow.

>
> > Why would you want to bypass a Good Thing?

>
> > > The DocumentView.asp streams a pdf down to the page and no where no how
> > > am I directing to a non SSL resouce. I have even tried putthing the
> > > absolutehttps://sitename/DocumentView.asponthe location and that
> > > doesn't change it.

>
> > No surprise here because it matters what ASP does, not how it is invoked.

>
> > Again, it's most certainly _not_ a problem with your posted script code (a
> > quick test with <a href="..." target="fraImage">foo</a> probably shows).
> > (But then, alas you posted only "similar" code.)

>
> > So unless you have a server-side JScript script in ASP here that you need
> > help about, your problem is *off-topic* here. But even then a newsgroup or
> > forum dedicated to ASP (.NET) would be a better choice, as the ASP experts
> > are *there*.

>
> > In order to have a chance to receive further helpful replies here and
> > *elsewhere*, I strongly suggest you learn how to post properly in Usenet:

>
> > <http://www.jibbering.com/faq/#FAQ2_3>

>
> > PointedEars
> > --
> > var bugRiddenCrashPronePieceOfJunk = (
> > navigator.userAgent.indexOf('MSIE 5') != -1
> > && navigator.userAgent.indexOf('Mac') != -1
> > ) // Plone, register_function.js:16



 
Reply With Quote
 
Thomas 'PointedEars' Lahn
Guest
Posts: n/a
 
      06-28-2008
DBLWizard wrote:
> I have further diagnosed the problem. It's not client side as I
> originally suspected.


I have said that right from the start, have I not? I am really not the one
beating the already grounded, but had you properly read and followed my
advice in the first place you could have spared yourself and this group a
lot of trouble.

> So to Thomas I owe an apology.


Please do.

> But your attitude that I was trying to do something wrong > or sneek something by the user really irritated me.


I never implied any of that! I merely said it was not a bug, i.e. not a
problem of the user agent but of the underlying programming of the Web
application. You really should read less into postings.

> [top post of a top post]


And finally learn to quote.

<http://jibbering.com/faq/>


Score adjusted

PointedEars
--
Prototype.js was written by people who don't know javascript for people
who don't know javascript. People who don't know javascript are not
the best source of advice on designing systems that use javascript.
-- Richard Cornford, cljs, <f806at$ail$1$(E-Mail Removed)>
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
This page contains both secure and nonsecure items Mantorok ASP .Net 2 04-21-2006 09:42 AM
Secure & nonsecure items on a web page Colin Nowell Windows 64bit 4 08-23-2005 12:15 AM
Finding nonsecure items in secure page marc.gibian@gmail.com ASP .Net 2 07-26-2005 09:21 PM
This page contains both secure and non secure items. A.M ASP .Net 5 06-08-2004 05:43 PM
this page contains both secure and nonsecure message Brent Burkart ASP .Net 1 01-27-2004 08:20 AM



Advertisments