I have a page that is under SSL.
However, in IE6, I get a notification:
"This page contains both secure and non-secure items" etc.
I've looked at all the HTTP requests for that page in both Firebug and Wireshark, and non of it seems to be sent over plain HTTP, all the resources are being fetched over SSL/TLS. However, IE6 still gives the non-sure items notification.
The filter I am using in Wireshark to filter Firefox is:
http.user_agent eq "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8"
For IE Only:
http.user_agent eq "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 6.1; WOW64; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; MS-RTC LM 8; MALC)"
Update:
All three network protocol analysers (Wireshark, Fiddler, Charles) show that all the requests are over HTTPS. IE6, 7 and 8 all show the "non-secure content" warning. Anyone have any idea if there is something else triggering IE?
Update 2:
It turns out it is tied to some JavaScript:
document.write("<script type='text/javascript' id=__ie_onload defer src=javascript:void(0)><\/script>");
This is specific for IE to emulate window.domReady event. The src=javascript:void(0) is what is triggering IE to show the insecure notice.
Now I'd like to replace javascript:void(0) with an equivalent that doesn't trigger the insecure notice.
These also triggered insecure:
javascript:;
about:blank;
This errored a version of IE:
#
''
Any ideas?
Fore reference here is the full JS file: http://closure-compiler.appspot.com/code/jscbfa82c39e2e310e33f1786fb9a83f9ee/default.js