Reputation: 17784
Mixed Content Warning IE: What matters; css, images, everything?
I have just moved my site from http to https and IE-9 started showing non-secure content warning at home page. This warning is understandable because i have one http call to googleapi for getting jquery script. But when I login and enter the inner pages there is no warning from IE despite the fact that most of the images are coming from other servers through http protocol. So the question: Is getting image over http is fine when accessing site over https? Does only css and js matters? or shall I have to get all the data through HTTPS? If so how is my scenario justifiable (getting images over http from other server on https page without warning)?
Upvotes: 2
Views: 1777
Answers (2)
Reputation: 25455
You can use the protocol-relative URL on all your urls to avoid this issue in IE.
Basicaly, instead of linking to a js/image/css by using its full path with the protocol, you instead link to it by leaving out the protocol bit and just using a double slash, //.
This will have the effect of all the above links inheriting the protocol from the parent page.
Of course this depends on you having valid SSL certs on the domains you're serving the different files form.
One other thing to note also is that images in your pages or CSS that are done using data URI could also cause mixed content warnings in IE.
To find out what files are causing issues, I recommend using Fiddler
There is also another tool that a fellow SO user, Eric Law wrote:
Install it from http://www.bayden.com/dl/scriptfreesetup.exe and you will get a different mixed content prompt which shows the exact URL of the first insecure resource on the page. That tool is basically a prototype and you should uninstall it when you're done with it. It works on IE8 and you should install it as admin.
Upvotes: 2
Reputation: 67039
If you load CSS and JS over HTTP then an attacker can inject executable code. Unfortunately IE will execute JavaScript within CSS. The problem with loading images over HTTP from the same domain is that the browser will likely spill the session id in plain text which is a violation OWASP a9.
Upvotes: 3
Related Questions
- stop ie showing security warning when loading non secure images on secure page
- IE8 and "Img that was delivered securely" warning
- Why would IE NOT throw a mixed content security warning in this scenario?
- What exactly are the rules for avoiding the "mixed content" warning in IE due to background images?
- IE7 and 8 gives mixed content warning when page is load with JQuery.load
- SSL: Insecure Content IE
- mixed content security warning in IE tab
- Mixed Content Warning in Internet Explorer
- Mixed Content Warnings in IE7 caused by JavaScript and Images
- Browser mixed content warning - what's the point?