What are restrictions of JavaScript under SSL(HTTPS)

None that i am aware of. I mean problem using javaScript with https.

I am sure you are already aware of the concept of mixed content. If so, there is nothing very specific to javaScript that i am aware of.

Hi NitinSontakke,

Does it mean that if I construct dinamically a not-secured URL using JavaScript in a secured page, IE will not prompt the user?

Andrew

If you go to : "Tools | Internet Options | Advanced | Security" you will see following setting.

'Warn if changing between secure and non secure mode.'

I am not expert at this, but my knowledge is, the behaviour you mentioned above is depending on whether or not the check box next to above setting is checked or not.

Sure I can remove this check box, but I cannot do it on each client computer :)

Now that's exactly the point to be noted. There are clients who have turned off scripting altogether. What can we do about those?

In summary, this is something entirely controlled by the client environment and we cannot do anything about it.

You may still wish to have input from other experts, though.

I don't think you'll ever get to a point where you can develop a site that will handle all client environments.  NitinSontakke correctly pointed out that there are clients who turn off scripting all together and while this is true, I don't think it's the norm.  My approach is to first ascertain who the primary target audience is.  For instance, if I'm developing a site that will be trafficed by a large number of college students, then stuff like ActiveX is out of the question b/c it is an IE specific technology and most colleges run *nix OS's.
I think JavaScript support is pretty much ubiquitous in today's browsers so it's the best technology to use to spice up your site.

Just my $0.02.

The "switching between secure and insecure" warning can be very scary for a non-expert Internet user. The warning makes it sound like something bad is actually happening when there is a very small chance that it really is.

To avoid that you need to make it so that all your content on an https page is accessed via https, even things like images. This usually involves a performance penalty because https is slower than http, but if you keep your https pages to a minimum (or keep your page volumes low) it won't matter.

To make that happen you should always use site-relative URLs like <img src="/images/whatever.gif"> where you don't specify the protocol.

Other than that, you should be able to run your DHTML/Javascript fine. You can have paranoid users put the site in the IE Trusted Sites zone so that they can use Javascript on your site but turn off Javascript for the Internet zone.

Thanks. With mixed content it is clear.

What about the following scenario: there is a pre-installed automation object that is activated from a secured page. Will I get a warning from IE? Let's assume I will not. Than I will be able to get an XML or HTML from this automation object and insert it into the page. Again, will it cause a warning message to appear?

Regards,
Andrew

I think it would depend on the user's browser settings and the specific code. Can you post a simple example?

To be able to post an example, I need to build the entire environment with secured server and build the automation object - actually I will be able to check and get answer on my question by myself. The problem is that I have no time. I thought someone already worked with that and might know the answer.

In fact the question is not actual for me for the moment.
I recommend to delete it.

<recommendation>
DELETE
</recommendation>

Thank you for your help,
Andrew

No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:

PAQ - Refund
Please leave any comments here within the next seven days.
 
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
 
ahosang
EE Cleanup Volunteer