http://wordpress.org/support/ WordPress › Support Topic: "do you want to display non-secure items?" . . . IE security popup en Thu, 26 Nov 2009 16:09:23 +0000 http://wordpress.org/support/topic/285691#post-1123078 Wed, 01 Jul 2009 21:57:00 +0000 Otto42 1123078@http://wordpress.org/support/ <p>That is a sorta commonplace bit of code to make something run after the DOM has loaded but before all the images have loaded on multiple types of browsers. In this case, it's doing loadMenus(); after the DOM loads.</p> <p>More info on this technique, including an alternative approach, can be found here: <a href="http://www.kryogenix.org/days/2007/09/26/shortloaded" rel="nofollow">http://www.kryogenix.org/days/2007/09/26/shortloaded</a></p> <p>You tend not to see this sort of thing very much anymore, since more people are using libraries like jquery, which all have this sort of thing built in already. </p> http://wordpress.org/support/topic/285691#post-1123042 Wed, 01 Jul 2009 21:23:29 +0000 NDP 1123042@http://wordpress.org/support/ <p>The theme idea helped me to narrow it down significantly.</p> <p>(on my test site): I chopped out blocks of php code from template pages, until I found the two lines in template/start.php:</p> <blockquote><p> &lt;!-- script START --&gt;<br /> &lt;script type="text/javascript" src="&lt;?php bloginfo('template_url'); ?&gt;/js/base.js"&gt;&lt;/script&gt;<br /> &lt;script type="text/javascript" src="&lt;?php bloginfo('template_url'); ?&gt;/js/menu.js"&gt;&lt;/script&gt;<br /> &lt;!-- script END --&gt;</p></blockquote> <p>Functionality was broken, when I removed these lines, but I stopped getting the security popup.</p> <p>I replaced those lines, then I dug into these two .js files. I had already suspected the menu.js file, based on the removeChild() call, from the Microsoft KB Article. </p> <p>What I found, at the bottom of the file, was this decision:</p> <blockquote><p>if (document.addEventListener) {<br /> document.addEventListener("DOMContentLoaded", loadMenus, false);</p> <p>} else if (/MSIE/i.test(navigator.userAgent)) {<br /> document.write('&lt;script id="__ie_onload_for_generic23" defer src="javascript:void(0)"&gt;&lt;/script&gt;');<br /> var script = document.getElementById('__ie_onload_for_generic23');<br /> script.onreadystatechange = function() {<br /> if (this.readyState == 'complete') {<br /> loadMenus();<br /> }<br /> }</p> <p>} else if (/WebKit/i.test(navigator.userAgent)) {<br /> var _timer = setInterval( function() {<br /> if (/loaded|complete/.test(document.readyState)) {<br /> clearInterval(_timer);<br /> loadMenus();<br /> }<br /> }, 10);</p> <p>} else {<br /> window.onload = function(e) {<br /> loadMenus();<br /> }<br /> }</p></blockquote> <p>When I removed the test for the MSIE user agent, that whole "else if" block, everything seemed to work fine, and there was no IE security popup. Can anyone explain what this code is doing? </p> http://wordpress.org/support/topic/285691#post-1122996 Wed, 01 Jul 2009 20:47:10 +0000 NDP 1122996@http://wordpress.org/support/ <p>The idea to shut off my themes was a good one.</p> <p>If I use either my custom theme, or Generic Plus (on which my custom theme was based), I have the problem. If I go back to the generic WP theme, the problem seems to go away.</p> <p>Unfortunately, the site is now live, so I can only play around with our backup site like this. I need to isolate what is exactly doing this and change only that, because the live site is developed dependent on this custom theme. </p> http://wordpress.org/support/topic/285691#post-1122982 Wed, 01 Jul 2009 20:35:01 +0000 NDP 1122982@http://wordpress.org/support/ <p><a href="https://edtechfuture.org" rel="nofollow">https://edtechfuture.org</a>.</p> <p>When I use tools like PageInfo in Firefox, or Safari's Activity window, they list every element of the page, and they're all coming from https. </p> http://wordpress.org/support/topic/285691#post-1122961 Wed, 01 Jul 2009 20:24:03 +0000 Otto42 1122961@http://wordpress.org/support/ <p>Yeah, that standard stuff doesn't matter any.</p> <p>Well, I'm stumped. Without a link to the site, I don't think anybody can help you any more here. </p> http://wordpress.org/support/topic/285691#post-1122956 Wed, 01 Jul 2009 20:20:15 +0000 NDP 1122956@http://wordpress.org/support/ <p>I don't see any http references when I do a view-&gt;source. Other than the standard stuff in the headers:</p> <p>&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"&gt;</p> <p>&lt;html xmlns="http://www.w3.org/1999/xhtml"&gt;<br /> &lt;head profile="http://gmpg.org/xfn/11"&gt; </p> http://wordpress.org/support/topic/285691#post-1122866 Wed, 01 Jul 2009 19:15:57 +0000 Otto42 1122866@http://wordpress.org/support/ <p>Note that a redirect isn't good enough. If you have <em>any</em> reference to an http instead of an https, then even if the http redirects to the https, then the site is not "secure".</p> <p>To be secure, there must not be any http calls whatsoever. Make sure of this and don't rely on redirections. </p> http://wordpress.org/support/topic/285691#post-1122859 Wed, 01 Jul 2009 19:07:58 +0000 iridiax 1122859@http://wordpress.org/support/ <p>Have you tried temporarily disabling all plugins or switching to the default theme to see if it is plugin or theme-related? </p> http://wordpress.org/support/topic/285691#post-1122854 Wed, 01 Jul 2009 19:00:39 +0000 NDP 1122854@http://wordpress.org/support/ <p>My theme is a slightly modified version of Generic Plus; fwiw.</p> <p>Following the microsoft kb article, above, there's a section of javascript in my mytheme/js/menu.js file:</p> <p>cleanWhitespace = function(list) {<br /> var node = list.firstChild;<br /> while (node) {<br /> var nextNode = node.nextSibling;<br /> if(node.nodeType == 3 &amp;&amp; !/\S/.test(node.nodeValue)) {<br /> list.removeChild(node);<br /> }<br /> node = nextNode;<br /> }<br /> return list;<br /> }</p> <p>I think it's responsible for clearing the popup menu graphics, when the user mouseovers the menu bar. I tried just remarking-out the "list.removeChild(node);" line, knowing that it would break some other functionality - and sure enough, the menubar mouseovers stopped working. And I was still getting the security popup in IE. So I know that this is not the cause of the issue either.</p> <p>(put the code back safe-and-sound, and the feature's working again). </p> http://wordpress.org/support/topic/285691#post-1122849 Wed, 01 Jul 2009 18:55:05 +0000 NDP 1122849@http://wordpress.org/support/ <p>All of my IE users are complaining about this.<br /> All of our images are either in /wp-admin/images, or wp-content/themes/mytheme/img. It's really a very non-graphics-intensive site. </p> <p>I'm doing "view source" on every page, and there's no content coming from any other site.</p> <p>I tried changing my style.css from:</p> <p>body {<br /> background:#767877 url(img/bg.jpg) repeat-x;<br /> color:#555;<br /> font-family:Verdana,"BitStream vera Sans",Helvetica,Sans-serif;<br /> font-size:12px;</p> <p>to:</p> <p>body {<br /> background:#767877 url(https://mysite.com/wp-content/themes/mytheme/img/bg.jpg) repeat-x;<br /> color:#555;<br /> font-family:Verdana,"BitStream vera Sans",Helvetica,Sans-serif;<br /> font-size:12px; </p> <p>No luck. </p> http://wordpress.org/support/topic/285691#post-1122837 Wed, 01 Jul 2009 18:47:13 +0000 iridiax 1122837@http://wordpress.org/support/ <p>I once got cookie security advisories with IE 7 because I had background images for my theme located outside of my WordPress folder. I assume it was some sort of bug. </p> http://wordpress.org/support/topic/285691#post-1122799 Wed, 01 Jul 2009 18:15:13 +0000 NDP 1122799@http://wordpress.org/support/ <p>Hi;<br /> I am managing a site that is delivered via https, and it displays fine in every other browser in the universe except (wait for it. . . ) IE.</p> <p>In IE, users are getting security popups asking "do you want to display non-secure items?"</p> <p>We can tell our users to ditch IE.<br /> We can tell our users to change their security settings; Miscellaneous-&gt;Display mixed content: Enable.</p> <p>But neither of these make it easy for our users to view the site. This warning pops up on every fricking page.</p> <p>I've googled this, and I don't see any real clear resolution of this problem. Just a couple of "hey try this" suggestions:</p> <p>1. Site elements are being delivered unsecured: I don't think so, not sure how to verify this, but all http requests are redirected to https.</p> <p>2. Set your iframe's src to a dummy value: we're not using iframes. Anywhere. As far as I know.</p> <p>3. Microsoft even says this can happen if: (<a href="http://support.microsoft.com/kb/925014" rel="nofollow">http://support.microsoft.com/kb/925014</a>) you're using the removeChild() method to delete a DIV element that references a background image - you should either use the outerHTML method to delete that DIV element, or put the background image into your CSS. In either case: WTF? more detail please! Where? How?</p> <p>I'm sure the "removeChild" method appears in several spots in both my template, and the wp-includes/js collection of javascript files (which means, these come with WP, and everyone should be seeing this problem?).</p> <p>Anyone have any constructive advice for getting rid of this annoying usability problem? (other than telling my users to ditch IE; if my customer would let me, I'd put a "download firefox and stop complaining" link in the footer of every page. I'm sure I'm not the first web developer to wrestle with this) </p>