“do you want to display non-secure items?” . . . IE security popup

  • Hi;
    I am managing a site that is delivered via https, and it displays fine in every other browser in the universe except (wait for it. . . ) IE.

    In IE, users are getting security popups asking “do you want to display non-secure items?”

    We can tell our users to ditch IE.
    We can tell our users to change their security settings; Miscellaneous->Display mixed content: Enable.

    But neither of these make it easy for our users to view the site. This warning pops up on every fricking page.

    I’ve googled this, and I don’t see any real clear resolution of this problem. Just a couple of “hey try this” suggestions:

    1. Site elements are being delivered unsecured: I don’t think so, not sure how to verify this, but all http requests are redirected to https.

    2. Set your iframe’s src to a dummy value: we’re not using iframes. Anywhere. As far as I know.

    3. Microsoft even says this can happen if: (https://support.microsoft.com/kb/925014) you’re using the removeChild() method to delete a DIV element that references a background image – you should either use the outerHTML method to delete that DIV element, or put the background image into your CSS. In either case: WTF? more detail please! Where? How?

    I’m sure the “removeChild” method appears in several spots in both my template, and the wp-includes/js collection of javascript files (which means, these come with WP, and everyone should be seeing this problem?).

    Anyone have any constructive advice for getting rid of this annoying usability problem? (other than telling my users to ditch IE; if my customer would let me, I’d put a “download firefox and stop complaining” link in the footer of every page. I’m sure I’m not the first web developer to wrestle with this)

Viewing 11 replies - 1 through 11 (of 11 total)

  • I once got cookie security advisories with IE 7 because I had background images for my theme located outside of my WordPress folder. I assume it was some sort of bug.

    Thread Starter ndp

    (@ndp)

    All of my IE users are complaining about this.
    All of our images are either in /wp-admin/images, or wp-content/themes/mytheme/img. It’s really a very non-graphics-intensive site.

    I’m doing “view source” on every page, and there’s no content coming from any other site.

    I tried changing my style.css from:

    body {
    background:#767877 url(img/bg.jpg) repeat-x;
    color:#555;
    font-family:Verdana,”BitStream vera Sans”,Helvetica,Sans-serif;
    font-size:12px;

    to:

    body {
    background:#767877 url(https://mysite.com/wp-content/themes/mytheme/img/bg.jpg) repeat-x;
    color:#555;
    font-family:Verdana,”BitStream vera Sans”,Helvetica,Sans-serif;
    font-size:12px;

    No luck.

    Thread Starter ndp

    (@ndp)

    My theme is a slightly modified version of Generic Plus; fwiw.

    Following the microsoft kb article, above, there’s a section of javascript in my mytheme/js/menu.js file:

    cleanWhitespace = function(list) {
    var node = list.firstChild;
    while (node) {
    var nextNode = node.nextSibling;
    if(node.nodeType == 3 && !/\S/.test(node.nodeValue)) {
    list.removeChild(node);
    }
    node = nextNode;
    }
    return list;
    }

    I think it’s responsible for clearing the popup menu graphics, when the user mouseovers the menu bar. I tried just remarking-out the “list.removeChild(node);” line, knowing that it would break some other functionality – and sure enough, the menubar mouseovers stopped working. And I was still getting the security popup in IE. So I know that this is not the cause of the issue either.

    (put the code back safe-and-sound, and the feature’s working again).

    Have you tried temporarily disabling all plugins or switching to the default theme to see if it is plugin or theme-related?

    Moderator Samuel Wood (Otto)

    (@otto42)

    www.ads-software.com Admin

    Note that a redirect isn’t good enough. If you have any reference to an http instead of an https, then even if the http redirects to the https, then the site is not “secure”.

    To be secure, there must not be any http calls whatsoever. Make sure of this and don’t rely on redirections.

    Thread Starter ndp

    (@ndp)

    I don’t see any http references when I do a view->source. Other than the standard stuff in the headers:

    <!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.1//EN” “https://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd”&gt;

    <html xmlns=”https://www.w3.org/1999/xhtml”&gt;
    <head profile=”https://gmpg.org/xfn/11″&gt;

    Moderator Samuel Wood (Otto)

    (@otto42)

    www.ads-software.com Admin

    Yeah, that standard stuff doesn’t matter any.

    Well, I’m stumped. Without a link to the site, I don’t think anybody can help you any more here.

    Thread Starter ndp

    (@ndp)

    https://edtechfuture.org.

    When I use tools like PageInfo in Firefox, or Safari’s Activity window, they list every element of the page, and they’re all coming from https.

    Thread Starter ndp

    (@ndp)

    The idea to shut off my themes was a good one.

    If I use either my custom theme, or Generic Plus (on which my custom theme was based), I have the problem. If I go back to the generic WP theme, the problem seems to go away.

    Unfortunately, the site is now live, so I can only play around with our backup site like this. I need to isolate what is exactly doing this and change only that, because the live site is developed dependent on this custom theme.

    Thread Starter ndp

    (@ndp)

    The theme idea helped me to narrow it down significantly.

    (on my test site): I chopped out blocks of php code from template pages, until I found the two lines in template/start.php:

    <!– script START –>
    <script type=”text/javascript” src=”<?php bloginfo(‘template_url’); ?>/js/base.js”></script>
    <script type=”text/javascript” src=”<?php bloginfo(‘template_url’); ?>/js/menu.js”></script>
    <!– script END –>

    Functionality was broken, when I removed these lines, but I stopped getting the security popup.

    I replaced those lines, then I dug into these two .js files. I had already suspected the menu.js file, based on the removeChild() call, from the Microsoft KB Article.

    What I found, at the bottom of the file, was this decision:

    if (document.addEventListener) {
    document.addEventListener(“DOMContentLoaded”, loadMenus, false);

    } else if (/MSIE/i.test(navigator.userAgent)) {
    document.write(‘<script id=”__ie_onload_for_generic23″ defer src=”javascript:void(0)”></script>’);
    var script = document.getElementById(‘__ie_onload_for_generic23’);
    script.onreadystatechange = function() {
    if (this.readyState == ‘complete’) {
    loadMenus();
    }
    }

    } else if (/WebKit/i.test(navigator.userAgent)) {
    var _timer = setInterval( function() {
    if (/loaded|complete/.test(document.readyState)) {
    clearInterval(_timer);
    loadMenus();
    }
    }, 10);

    } else {
    window.onload = function(e) {
    loadMenus();
    }
    }

    When I removed the test for the MSIE user agent, that whole “else if” block, everything seemed to work fine, and there was no IE security popup. Can anyone explain what this code is doing?

    Moderator Samuel Wood (Otto)

    (@otto42)

    www.ads-software.com Admin

    That is a sorta commonplace bit of code to make something run after the DOM has loaded but before all the images have loaded on multiple types of browsers. In this case, it’s doing loadMenus(); after the DOM loads.

    More info on this technique, including an alternative approach, can be found here: https://www.kryogenix.org/days/2007/09/26/shortloaded

    You tend not to see this sort of thing very much anymore, since more people are using libraries like jquery, which all have this sort of thing built in already.

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘“do you want to display non-secure items?” . . . IE security popup’ is closed to new replies.