IE7 - meta refresh inside an HTTPS IFRAME causes mixed content warning

Question

I have an ASP.NET application that implements keep-alive by using a hidden IFRAME with a refresh header (or meta refresh tag in the page).

For many - but not all - instances of Internet Explorer (reproduced so far on IE7 and IE8 beta - but not for everyone!) if you move between two secure pages that both contain this keep-alive IFRAME, you get something like this sequence of events:

 0s: load page1.html - includes keepalive.html, schedules a refresh at 15s
 5s: click the page2 link
     load page2.html - includes keepalive.html, schedules a refresh at 20s
15s: refresh of frame on page1 happens; mixed content error box displayed

At this point the error "This page contains both secure and non-secure content" is displayed in the browser.

page1.html:

<html><head><title>Page 1</title></head><body>
<h1>This is Page 1</h1>
<p><a href="page2.html">Go to Page 2</a></p>
<iframe src="keepalive.html" width="500" height="200" />
</body></html>

Page 2 is the same but says Page 2, and links to Page 1, instead.

keepalive.html:

<html><head>
<meta http-equiv="refresh" content="15" />
</head><body>
<h2>This is the keep alive</h2>
</body></html>

In all the browsers I have tested this in I have ensured that the internet zone has permission to do a meta refresh and is set to prompt when displaying mixed content. I have read all the pages suggesting that you need to have a src="" tag on your IFRAME or IE will consider it insecure - by design it has to have a src tag, which is that of the keep-alive page.

If you sit on Page 1 forever, the IFRAME refreshes fine. The error only shows up the first time after you change to Page 2.

I am looking for a way to fix this with minimal change: a better method for keep-alive would be to use a control & automatically-refreshing images, which I will investigate for future versions. A possible workaround I have in mind is having contents of the IFRAME be a regular XMLHttpRequest to the server, instead of a meta refresh. A simpler bugfix would be even better.

---

Update: I have marked Grant Wagner's answer as correct because it lead me to the actual problem: the Lenovo Password Manager add-on, CpwmIEBrowserHelper, causes this error. This neatly explains why some people see this problem and not others - most of the people I asked have ThinkPads. Disabling the extension makes the refresh problem go away.

As we can't cause everyone who might use the application to fix this problem, we are going to go with a javascript timer and refreshing the window location, updating the keepalive.html page to look like this:

<html><head>
<meta http-equiv="pragma" content="no-cache">
</head><body>
<h2>This is the keep alive</h2>
<script type="text/javascript">

  setTimeout ('ReloadPage()', 15000 );

  function ReloadPage() {
     window.location = window.location;
  }

</script>
</body></html>

Answer 1

Try setting the iframe with the full URL starting with https, I've ran accross this in the past, I think this was the solution.

Answer 2

I tried your test page in IE 6, 7 and 8 (release) and could not reproduce the problem.

Some things to check:

• Download Fiddler and verify the URL being requested by the META REFRESH. Ensure it is in fact https. Also, make the query string to keepalive.html unique for pages 1 and 2 so you can verify which request is causing the message box to appear.
• Make sure all affected browsers are seeing the site in the same security zone (check the status bar across the bottom and ensure all instances of IE say either 'Internet' or 'Local intranet'). If browsers in one zone are working but those in another are not, you can try getting them all in the same zone.
• Start Internet Explorer without any Add-ons (Start > All Programs > Accessories > System Tools > Internet Explorer (No Add-ons)) or (Start > Run > iexplore -extoff). Does the same thing happen on the afflicted systems? This story is unrelated to your specific problem, but a couple of years ago I had one user whose session (maintained by a session cookie) was not surviving in a secondary window. It turned out that a popular cursor Add-on she had downloaded and installed was preventing the sharing of cookies between two different IE windows. The point of the story is that IE Add-ons can sometimes cause strange behaviour you wouldn't associate with an Add-on. Best to rule them out by trying it with in No Add-ons mode.
• Ensure all machines are running the same build of Internet Explorer (Help > About Internet Explorer or go to http://update.microsoft.com/)

Frankly I'm concerned about the nature of the problem. You're saying that visiting page 1 sets a timer to refresh the iframe, then you navigate away from that page, and the refresh still occurs at the designated time, even though you've navigated away from the page containing the iframe which contains the META REFRESH. Navigating away from page 1 should stop the timer on the initial iframe refresh. That's why I think you should use Fiddler (and a unique keepalive.html query string) to verify it is the request from the iframe on page 1 causing the problem.