tags:

views:

294

answers:

3
Q: 

How do I view the insecure items on a secure page.

I have a web application which works perfectly fine on my own machines, perfectly fine on my customer's PCs but on their customers machines each page they visit they get a prompt for the Mixed Content coming up.

However it doesn't matter whether they answer yes or no to the question, they still get all of the functionality of the site.

We cannot ask them to disable the warning, since they would then consider our application not secure and not use it.

I've installed Httpwatch and none of the resources or urls being loaded are insecure. The codebase for any flash objects is called using https: I've checked for any removechild() function calls in the scripts and none of them are called on divs with a background image. We have no calls to javascript:void anywhere in the codebase.

I'm at a loss as to what to check next. Is there any way without being too intrusive, to find out what insecure objects the page is trying to load? This has to be something that will work on IE7 or 8 as we are not allowed to install anything on their machines.

+1  A: 

Do you have any links to #?

That is, I had an

<iframe src="#"/>

That caused exactly what you were describing.

Editing, any iframe without a src, or with a src that IE doesn't love, will cause this bug. Also, there's potential that editing CSS to include images and using a relative URL may also cause this one, so dynamic drop down menus with a image of a down arrow on them might also cause the problem.

If you have access to the page, try removing chunks of it at a time, and see if the error still occurs to track down where on the page it might be happening. iframes and then CSS would be my top two bets.

Dean J  2009-10-21 16:14:14
A: 

Other than what Dean has suggested, Why not try installing firebug (Firefox) and see everything that the page requests?

Shoban  2009-10-21 16:15:34
A: 

In addition to the IFRAME, it could be as mentioned CSS. The best way to tell if that's the case -- and I did so -- was to use the IE8 Developer Tools (F12) under Disable > CSS and see if the problem occurs. If yes, not in CSS. If no, in CSS. (In my case, I had a hard-coded URL in background-image tag that used http://. The fix was to make the image relative.)

bishop  2010-01-07 20:57:28

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security