Originally posted by k2p2
View Post
-
Full marks Nick - site correctly requesting https. Apache config then redirecting to http.Originally posted by NickFitz View PostLeave a comment:
-
Thanks Nick - I'd found some posts about the javascript:void(0) thing - can't find any instances, although they are using jquery. Will check again on Monday.Originally posted by NickFitz View PostLeave a comment:
-
https has to start at the client. If it makes an http request, and the server redirects it to https, then it repeats the request using https. If the client is making a request for a page over https, and then requesting content referenced by that page over http, then there must be something in that page specifying that the content should come over http. Relative URLs are relative to the URL of the containing page, unless overridden by a <base> tag.Originally posted by k2p2 View Post
(N.B.: if they've cocked-up the server and are redirecting requests from https to http that will cause the message; you can use Fiddler to check for that.)
However, IE8 will also throw up the mixed content warning if they are using javascript: URLs in certain circumstances. Search the source for anything like javascript:void. Also have a look in any JavaScript libraries they are using; some of them use a trick to get IE to simulate the DOMLoaded event that involves writing out a <script src="javascript:void(0)" defer> tag, which will trigger the warning. I believe JQuery and YUI have both had this problem in certain versions, and both have fixes available.
Also, check out this post by MS's Eric Law.Leave a comment:
-
I use HTML Validator to check the HTML content for different browsers - there is a free version:
CSE HTML Validator - Powerful HTML Validator, XHTML Validator, CSS Validator, and MoreLeave a comment:
-
OK - convinced myself there is definitely unsecure content. Have sent polite email to developers. Not my job to sort it thankfully
Thanks for the suggestions - just wanted to check I wasn't misunderstanding http watch - pretty sure I'm not.Leave a comment:
-
There is shedloads of unused stuff. The HTML is truly shocking - badly formed, code between </head> and <body> - a real mess. Hardly surprising there's problems. Not sure what you mean by unreferenced.Originally posted by Cliphead View Post
My question was really how apache deals with it - I'm guessing they're using a Rewrite to map http to https for the secure pages. If they are, does stuff with a relative path also come over https? Http watch would suggest not.Leave a comment:
-
Have you checked the HTML for a <base> element, e.g. <base href="http://example.com/">? That would cause relative paths to use http rather than https.Leave a comment:
-
Thought about this - I reckon they've configured specific paths to be secure, but because the js and images are in a common part of the directory structure they're not coming in on https.
Surely can't be that obvious - this has been P1 issue for months...Leave a comment:
-
Mixed content
Really noddy question...
Currently testing website for clientCo. For the past 2 months we've been logging issues around mixed content messages. IE8 is completely bust - none of the AJAX calls work unless you explicitly configure the browser to allow mixed content.
The developers (a well known offshore outfit) seem to be struggling with this - they've brought in consultants for what is known as "the IE8 issue" but been unable to resolve it. Other browsers (e.g firefox) show broken padlock but don't actually give a warning message.
The site is on apache and I understand the https is configured there. My background is IIS and we always set up https in the code, so my understanding of apache config is based on my good friend google.
I have no access to source, but looking at the html, the calls to js and many of the images are using relative paths.
When I use http watch to see what is being delivered, all the js and some of the images are showing as coming over http. The main page content is shown as https
Onshore rep of offshore company is telling me that apache steps in and delivers the content over https anyway. But http watch (and firebug and everything else!) shows http.
If http watch shows http does that mean it's http? Either there's a gap in my understanding, or they're missing the obvious. Don't want to escalate it if I'm gonna look stupid...
TIA
Leave a comment: