Mixed Content Warnings Over HTTPS
I thought I'd describe a problem (and the solution we tracked it down to be) that came up this week at work.
The last few months at work my team has been building an ASP.net application that has a lot of client side code as well as server side. It was deployed this week to a test production server and was made only accessible over SSL. The site worked perfectly, but when you first arrived there, IE was throwing a Mixed Content Warning, saying that some of the page was not sourced over SSL.
We scratched our heads over this one for a while, wondering what the hell it could be, since it was self contained site that referenced no other locations other than itself. And even when we said no, don't allow the non-secure content, the site worked perfectly.
It ended up that the solution was extremely simple. One part of the page includes a custom treeview control, that obtains child nodes on expansion from the web server via a hidden IFRAME. By default, there was no source location set on it - a location was necessary until you clicked the little [+] image next to the tree node to force an expansion.
So what does IE render in an un-targetted (I don't know if that's a real word, but I like it) IFRAME? It navigates to about:blank of course! The problem with this is that about:blank is definately NOT obtained via https - and hence throws a mixed content warning. We changed the IFRAME to point at a page on the secure site (blank.aspx I believe it's called :) and the warning went away.
The moral of the story? Plug your own hole? No, probably not.
Don't talk to strangers? *shakes head*
Always cover your ass. That might be getting closer.
Ah, I've got it.
So the next time your TV goes on the fritz or your washing machine conks out, turn on all the lights, look in your cupboards or under the bed. Cause you just can't tell. (Come on, name that movie! :)