Taming the mixed HTTPS/HTTP webpage content prompt in Internet Explorer 8
Some web sites that serve up pages using HTTPS after you log in still have embedded elements (often images) that are served up insecurely (by HTTP) for a variety of reasons, such as: a performance boost by avoiding the SSL overhead, use of a third party server's bandwidth, web bugs for tracking your surfing habits, etc.
In Internet Explorer 8, when such a mix of HTTPS and HTTP connections are served up on a single page, a pop-up dialog box says:
Previous versions of IE (such as IE 7) asked the user, "Do you want to display the nonsecure items?" you could click the default button of "Yes" to display the mixed content (or hit the enter key). But since the default choice wasn't the most secure option, the developers of Internet Explorer made the change from 'yes' to 'no' to get the whole page to load completely. You can read all about this topic on Eric Law's MSDN Blog.
If, like me, you find the prompt annoying, the MSDN recommendation is to go into the IE menu item 'Tools > Internet Options > Security > Internet Zone > Custom' and change the "Display mixed content" option "Disable". This will always block non-secure content in secure pages without the annoyance of the prompt. You will need to agree to the prompt "Are you sure you want to change the settings for this zone" and hit OK to close the dialog box. NOTE: you may need to tap the 'Alt' key on your keyboard to get the menu items to appear in the toolbar area of your web browser.
For some in-house web applications whose Development and QA servers aren't using signed SSL certificates, I've added those hosts into my list of 'Trusted Sites' and changed the "Display mixed content" option to "Enable" in that zone only.
In Internet Explorer 8, when such a mix of HTTPS and HTTP connections are served up on a single page, a pop-up dialog box says:
Security Warning: Do you want to view only the webpage content that was delivered securely? This webpage contains content that will not be delivered using a secure HTTPS connection, which could compromise the security of the entire webpage.If you want to display the mixed content in IE 8, you will need to click "No" even though it is NOT the default choice.
Previous versions of IE (such as IE 7) asked the user, "Do you want to display the nonsecure items?" you could click the default button of "Yes" to display the mixed content (or hit the enter key). But since the default choice wasn't the most secure option, the developers of Internet Explorer made the change from 'yes' to 'no' to get the whole page to load completely. You can read all about this topic on Eric Law's MSDN Blog.
If, like me, you find the prompt annoying, the MSDN recommendation is to go into the IE menu item 'Tools > Internet Options > Security > Internet Zone > Custom' and change the "Display mixed content" option "Disable". This will always block non-secure content in secure pages without the annoyance of the prompt. You will need to agree to the prompt "Are you sure you want to change the settings for this zone" and hit OK to close the dialog box. NOTE: you may need to tap the 'Alt' key on your keyboard to get the menu items to appear in the toolbar area of your web browser.
For some in-house web applications whose Development and QA servers aren't using signed SSL certificates, I've added those hosts into my list of 'Trusted Sites' and changed the "Display mixed content" option to "Enable" in that zone only.
Labels: Internet Explorer 8 mixed HTTPS HTTP connections content prompt agree dialog annoyance fix
posted by Gastown at
1:26 PM
0 Comments
