Security Warning on SSL site

Poster: eleanorb
Dated: Thursday August 7 2008 - 15:11:34 BST

Hi

I have installed the milonic menu system on a secure SSL site and get this security warning:

"This page contains both secure and nonsecure items.

Do you want to display the nonsecure items."

I guess this means that there are mixed zones and I believe I need to eliminate any "http" references - which your menu system seems to use.

Any advice would be appreciated.

E

Re: Security Warning on SSL site

Poster: John
Dated: Thursday August 7 2008 - 15:27:49 BST

We need to see your code to see what you are pulling from where. URL?

As I'm sure you know, this is a pretty standard message. However, I also understand that most users are not savvy enough to understand what it means. We'll help if we can.

Re: Security Warning on SSL site

Poster: KaiHogan
Dated: Thursday November 6 2008 - 17:41:23 GMT

John,

Seeing this thread and having the same issue I wanted to add in my comments. I also believe that I have narrowed down the problem, maybe, as well as exactly how to recreate it (every developers dream when looking for a bug).

I have a fully secured website under SSL 3.0 (2.0 is disabled) and have not had any issues with the menus. BTW, good job on this stuff. I was having a couple of users comment on my new site being a little "slow" in rendering pages but not all. I found another thread that I think will address this. However, I appear to have gotten off topic. My menu version was 5.801 and had no issues. Thinking that an upgrade to 5.805 would correct my "slowness" issue I upgraded to it. What I discovered was that any user in IE6 was getting the Secure / Non-Secure warning message 3 times per page. Each surrounding the menu. In doing some additional digging I found a reference on Microsoft regarding SSL and the use of IFrames and the mixed security warning message.

http://support.microsoft.com/default.aspx?scid=kb;en-us;261188

Not sure if the menu is using iFrames or not but this might be a place to start. Menu version 5.801 does not have this issues but 5.805 does. IE7 did not have any issues with 5.805.

Hope that helps

Re: Security Warning on SSL site

Poster: John
Dated: Thursday November 6 2008 - 18:16:43 GMT

Thanks for the good info, Kai. Hopefully this will help E's problem.

Re: Security Warning on SSL site

Poster: Andy
Dated: Friday November 7 2008 - 15:09:54 GMT

Hi,

Can you please try version 5.806 of the menu - There was an issue that we hop to have fixed now.

Cheers,
Andy

Re: Security Warning on SSL site

Poster: KaiHogan
Dated: Wednesday December 3 2008 - 18:15:38 GMT

Andy,

I have just attempted to upgrade to 5.810 to get the changes regarding the Norton Internet Security issue. However the minute I installed it and tested it all pages were getting the 3 security warning boxes. This appears to only be happening on IE6 which, sadly, is the primary browser for my workplace and my users. It does not appear to be an issue in other version or browsers that I can see. So it seems to still be related to the iFrame concept inside the menu itself. I will do some deep digging on the 5.810 and see if I can find the area that may be impacted with in the menu javascript.

Re: Security Warning on SSL site

Poster: Andy
Dated: Wednesday December 3 2008 - 18:40:50 GMT

Do you see the problem with our secure pages at https://www.milonic.com/mydetails.php ?

Re: Security Warning on SSL site

Poster: KaiHogan
Dated: Wednesday December 3 2008 - 18:53:31 GMT

Andy,

Yep, I followed the link you provided and was getting the exact same error as on my testing area. This was using IE6. I testing under FF3 and no issues. Depending on the Menu "make up" it will be from 1 to 3 (maybe more) security warning boxes before the menu will display. It is also interesting to note that answering Yes or No on the secirity warnings have no impact (or at least none that I have found) with the Menu displaying after the last security warning box.

Bob

Re: Security Warning on SSL site

Poster: Andy
Dated: Wednesday December 3 2008 - 19:07:06 GMT

This is to do with the IFRAME masking and the fact that we use a link of javascript:false; to indicate that a link is present and stop the browser from complaining about insecure pages.

There is a way of ficing this but it means changing the mmenudom.js file and also creating an empty HTML file that you need to upload to the root of your website.

1. create a file called blank.html and upload it to the root of your website.

2. Edit mmenudom.js and replace all this javascript:false; with /blank.html - It's in 2 places

That should do the trick.

-- Andy

Re: Security Warning on SSL site

Poster: KaiHogan
Dated: Wednesday December 3 2008 - 21:54:20 GMT

Andy,

Ther does not appear, or at least to me, any reference in the script page called javascript:false; I have searched several times. I have even tried searching for that in all files related to the menu and do not find this reference. As a follow up jsut to restate. This has never been an issue up to version 5.801. Only with version since that time.

Re: Security Warning on SSL site

Poster: KaiHogan
Dated: Wednesday December 3 2008 - 22:18:44 GMT

Andy,

As a follow up to the last posting I did some additional digging. On my test server where I am attempting to get 5.810 working past that security error on IE6 and attempting to follow your suggestion on the javascript:false; replacement I have found that in 5.810 there is no such statement. I then went to my production server which is using 5.801 just to see if it was there. Sure enough I was able to find at least one reference to javascript:false;. 5.801 works and has this statement and 5.810 does not work and does not have this statement. This again only appears to impact IE6 which many of my users are still on. Could this have been a possible oversight during one of the version updates?

Re: Security Warning on SSL site

Poster: KaiHogan
Dated: Friday December 5 2008 - 16:57:50 GMT

Any ideas on this one yet?

Re: Security Warning on SSL site

Poster: Andy
Dated: Friday December 5 2008 - 17:18:32 GMT

Sorry for the delay.

I've just looked and sure enough the code is not there. This code was changed a version of so ago and I forgot about it, sorry.

Anyway, here is what you need to change:

if(_L.protocol=="https:")F=" src="+_jv; to if(_L.protocol=="https:")F=" src=/blank.html";

and

if(_L.protocol=="https:")f.src=_jv; to if(_L.protocol=="https:")f.src="/blank.html";

Let me know if you still have problems

Cheers,
Andy

Re: Security Warning on SSL site

Poster: KaiHogan
Dated: Friday December 12 2008 - 18:14:30 GMT

Andy,

Thanks for the info. I was about to post a reply stating that while this might work it would be short lived as I would have to make these changes every time I updated to a new menu. I was about to research and see if there was some form of where this could be changed, without the need for a local "blank.html" file . But, before I went down this path I wanted to make sure I was still on the latest version. LOL, well I found out that we are now up to 5.812 as of today. In fact it is so new you do not have the hot sheet up yet with the changes. . I pulled the newest version down to my server and viola! It works as expected and in reviewing the code I see you made a change that I was going to explore for a possibility. Thanks for addressing this. Makes it a lot easier than trying to remember what "patch" I added on top of an already working product.

Kaihogan.

Re: Security Warning on SSL site

Poster: Andy
Dated: Friday December 12 2008 - 20:10:29 GMT

It turns out that if you have "Allow active content to run in files on my Computer" selected you do not see the warning. It was only once I "Restored Defaults" that I saw the problem.

Sorry about the bug - all fixed now