This page contains both secure and non secure items.

Hi,

My application uses SSL on IIS6. Up on visiting some pages, IE 6 shows:
This page contains both secure and non secure items.
Do you want to display non-secure items?

Regardless I answer no (or yes), everything works fine.

We don’t like our users see that message because it makes them nervous without any good reason.


How can I track why the browser shows that false security alert?

Thanks,
Manesh
LVL 1
Manesh_nAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ahoffmannCommented:
> We don’t like our users see that message because it makes them nervous without any good reason.
deliver all and every content of that page with SSL

Even if it is technically correct and secure to use mixed pages, it confuses most users and they have no chance to see what is protected by SSL and what is clear text by http. That's why the browser complains.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SaineolaiCommented:
Is it possible that the page is pulling some content from a http url rather than a https URL?  Perhaps some additional embedded content.  Verify that all the components of the page come from a https url.
0
jhanceCommented:
The BEST way to ensure this in my view is to make sure you DO NOT use any http://www.domain.com/xxxx on the page.  Make sure ALL objects are included using RELATIVE references to your site.  That way all items will be reference using the "parent" URL which will be http or https.

This warning happens most often because an image or some other object was included using a full URL rather than a relative one.
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

rairdonmCommented:
Basically, all you need to do is view the page source or source code.  search for anything that contains "http" vs "https".  Any image, url or other links that go to a "http" are unsecure and are being displayed with your secure page.

If you click no, ONLY the secure information will be rendered.  You may find broken image links or missing text.

If you click Yes, BOTH the secure and non secure information is rendered.

Bottom line, in order to fix this, you have to make sure all href, img src, etc are going to the same https on the web document.

0
FermionCommented:
Open IE
Click TOOLS/INTERNET OPTIONS/ADVANCED tab

Scroll down to SECURITY(should be all the way down)
Uncheck "warn if changing between secure and not secure mode"

Close IE
Restart IE

Your done.
0
FermionCommented:
Note: you may also need to uncheck the next item:
"warn if forms submittal is being redirected"
0
FermionCommented:
Oh, be sure to click APPLY and then OK on those above steps before exiting and restarting IE.
0
floorman67Commented:
since your application requires internet explorer, it will use the client settings for the user/machine.

you can not alter this unless you make the changes in the users/machines internet explorer.

if you ahve full control over all the users/machines at your place of business, then by all means, do as the previous responder suggested and change all IE settings for notification warnings.

if not, then you can not ethically suspend notifications of another users machine without globally affecting their browsing enviroment and privacy, unless you place a warning for it or popup otion to ahve them do this in your application.

so dont jsut program your application to make these changes in the users machine without them knowing.
0
rairdonmCommented:
Ok...you've changed the browser...but not the code (which IS the problem).

and made it less secure:
Scroll down to SECURITY(should be all the way down)
Uncheck "warn if changing between secure and not secure mode"

Note: you may also need to uncheck the next item:
"warn if forms submittal is being redirected"

PLEASE TRY TO FIX THE CODE FIRST.

If you have no control over the developed web pages, making IE less secure (or annoying) isn't the solution.  And it's only temporary until the same user logs onto a different computer or different username, or the next update to windows or IE reset, etc...you'll revisit this OVER AND OVER.  It would be better to explain what's happening ONCE to whoever knocks on your door than reconfiguring IE.

One good point made by floorman is an ethical issue regarding browser environment and privacy.  Is the lesser of evils making the pop-ups go away by rendering the browser less secure and private?  What if your end users to online banking?  What if your browser is redirected to malicious code?  There would be no warnings for them to intervene.

Here's what the "more info" produces when a security information dialog like yours pops up.

"Downloading non-secure content from a secure Web site

The Web site you are viewing is a secure site. It uses a security protocol such as SSL (Secure Sockets Layer) or PCT (Private Communications Technology) to secure the information you send and receive.
When sites use a security protocol, information that you provide, such as your name or credit-card number, is encrypted so that other people can’t read it. However, this Web page also contains items that do not use this secure protocol.
Given what you know about this Web site and your computer, you must decide whether to continue working with this site.

If you do not feel confident about working with this site, click No. "
0
adamtodd16Commented:
This issue has nothing to do with the browser that the user is accessing your site with. Go through your code and remove any http://www.sitename.com - everything should be completely relative; not hard-coded. This includes urls, images, etc.

Example:
<a href="http://www.sitename.com/news/index.html">
Should be:
<a href="news/index.html> or something along those lines.

Feel free to post the code or send it over and I will gladly take a look for you.
0
Manesh_nAuthor Commented:
Hi
I am using IFRAME in one of the pages. How can I use IFRAME for HTTPS

Manesh
0
ahoffmannCommented:
<iframe src=https://..... >
<iframe src=//..... >

the latter one automatically inherits the schema from the page
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.