"security warning" on XP/IE 6.0.2900, but NOT on w2k/IE 6.02800

[cyan01]

Hi, Experts,

My company has a few webpages constantly trigger "security warning" on XP/IE 6.0.2900.2180.xpsp-sp2-gdr.050301-1519. I have noticed that if I enable Tools->Internet Options->Security->Internet->Custom Level->Miscellaneous->Display Mixed Content, then the warning is gone.

However, when I am using w2k/IE 6.0.2800.1106, with Miscellaneous->Display Mixed Content set to prompt, I don't get this warning.

Can someone tell me whether the annoying problem is on our side or on Microsoft IE side? And what's the possible solution? Thank you in advance for your help.

 

[smah]

The root of the warning comes from the fact that something on those pages is not being loaded from the secure server. I assume that the pages in question are secure - https:// There could be an image or script that is being called from non-secure url. As a starting point, do a 'view source' on one of the problem pages & search for the text http://

 

[cyan01]

Thank you, Smah.

What you said is exactly right. The pages are images and loaded through

https://.

What should I do to avoid this warning without enabling Miscellaneous->Display Mixed Content? And why does w2k/ie not give such a warning?

Thank you, again.

 

[Xaqte]

I'm finding it difficult to understand the first sentance of your last post. But, I am assuming that was a response to smah's great advice about looking at the source for any mention of "http". So, I guesss its safe to say you've done that.

Since I just worked through the same problem, here is some general advice:

Avoid using absolute paths at all costs for sites that switch back and forth between http and https:
Instead of:

<img src="[URL unfurl="true"]http://mydomain.com/images/cyan.jpg"[/URL] alt="cyan" />

Do this:

<img src="/images/cyan.jpg" alt="cyan" />

This applies to more than images. It can also apply to css style links and javascript links (any "src" link).

The page I recently worked through had this problem because of a js google analytics link.

This can prove difficult on dynamic pages created throught a server side script, this is why smah's advice was good!

If you could provide us a link, we would be happy to look at it!

Let us know your results!

X

 

[cyan01]

Thank you, Xaqte.

Sorry I did not make myself clear in my last post. I'll take a close look at the code first thing Monday and I'll let you know what I found.

Thank you again.

 

[smah]

The reason that you're not getting the warning on the other systems is that for some reason, the security settings have been reduced. The warning is basically telling you that something is not coming from where you think that it is - probably something very minor like a picture, but possibly something more sinister, hence the warning message. When you do a 'View, Source' you can use the 'Edit, Find' function to quickly search for references to http://. When you find them, have the webmaster fix them.

 

[cyan01]

Hi, smah and Xaqte,

Sorry for being late - I was beried by lots of chores last couple days.

Here is what I found:

One of our perl codes, create a js function called openImage(), which has one line like this:

function openImage()
{
//......
window.open('/search/docs/viewItem.pl?tableID=$Q::tableID;docID='+dID+';eDocID='+eDocID+';page=' +pg,'TextViewWin');
//......
}

Where viewItem.pl is another perl file.

If I visit this page using win xp/IE 6.0.2900, I see an IE security warning poped up before Java Script executing window.open(). But with w2k/IE 6.0.2800, I don't see the warning. I made sure that the security lever is set to MEDIUM for both IE's.

Any advices are highly appreciated.

 

[smah]

I don't see anything wrong with that code, but you've stated that it happens before this this is executed. Are there no other references to external files? Can you post the link?

 

[cyan01]

I'd like to say that it is an IE bug. According to this article published on microsoft site:

http://support.microsoft.com/kb/q300443/

All IE 6.0 should have this behavior. However, according to my findings, w2k/IE 6.0.2800 behaves differently from XP/IE 6.0.2900.

To smah, I am positive that there are NO other references to external files! And I don't quite understand what you meant by "post the link"? But I can show you a bit more of our codes:

function openImage(dID,notImg)
{
  if (!notImg) notImg = false;
  if (notImg || (FileMimeInfo && FileMimeInfo['id_'+dID]))
  {
    document.all.ImageContext.rows = '0,*';
    alert("In openImage(), going to open /search/prodDocs/viewItem.pl");
    window.open('/search/prodDocs/viewItem.pl?tableID=$Q::tableID;docID='+dID+';eDocID='+eDocID+';page='+pg,'TextViewWin');
    return;
  }
  // ......
}

Here are the last a few lines of viewItem.pl:

my $fHead;
read(INFILE, $fHead, 5);
seek INFILE, 0, 0;

my ($buf, $bytes);
while ($bytes = read(INFILE, $buf, 16384))
{
  print $buf; # to display the image
  warn("\$bytes = #$bytes#");
}

close INFILE;
warn("exit from viewItem.pl");
exit;

Please NOTE:

1) I saw JS alert first, then saw IE security warning;
2) At the time when IE warning popped up, I had already seen apache log message - "exit from viewItem.pl". Meanwhile, on my browser, I got "The page can not be found" error.
3) After I clicked "yes" button on the IE security warning box, the error page "The page can not be found" was gone and the image was successfully displayed.

 

[Xaqte]

At the time when IE warning popped up, I had already seen apache log message

Are you using tail to view the log? If not, this might help debug the order of events.

Out of curiosity, use the following code to see what perl thinks the local directory:

    use Cwd;
    my $dir = getcwd;
    warn "Dir: $dir";

You should see the response in your log...

One last thing...
Smah and I have both asked you to post a link. We would understand if you couldn't, but at least tell us.

 

[smah]

By that we mean a link to the web site (if public). You keep posting these small snippets of code, but I assume the end result is a web page that's displayed in a browser window. Another item that commonly causes this occurance is the CSS stylesheets used to format the html page. If the css is called from a non-secure url, you will get this error.

IE's security has been tightened down more in XP than in any other version of Windows & will be even more so in future versions. So, if you want to consider this a bug, it's actually a bug in the ealier versions.

 

[smah]

I just realized that, earlier when I mentioned "View source", I actually meant the HTML code that makes the web page, not neccessarily the perl code that generates the html.

 

[smah]

Each time I finish, I think of a better way to say what we're trying to get at...

The warning is coming from the browser. The browser is displaying the html (and javascript) only. The browser does not care about the perl code that generates what is displayed. The browser does not care if the rendered html is dynamicly generated on the server or if was staticly coded by hand. The browser only knows what it 'sees'.

 

[cyan01]

To Xaqte and smah,

Again, thank you very much for your help. And I am sorry I have not told you about the "url link" thing. Those sites are for customers only so that I can not make it public here (even if I did, no one could access it w/o a password). Because of this, I never thought about to give out the link and that's why I never thought you meant this - it is absolutely my fault. I'll try your suggestions today will give you an update later today.

Thank you.

 

[cyan01]

First, let me answer Xaqte's request.

I added following code

use Cwd;
my $dir = getcwd;
warn "Dir: $dir";
my $fHead;
read(INFILE, $fHead, 5);
seek INFILE, 0, 0;

my ($buf, $bytes);
while ($bytes = read(INFILE, $buf, 16384))
{
  print $buf; # to display the image
  warn("\$bytes = #$bytes#");
}

close INFILE;
warn("exit from viewItem.pl");
exit;

Here is the log:

Dir: /{root}/search/prodDocs at /{root}/search/prodDocs/viewItem.lcs line 246.

And yes, I use 'tail -f' to view the log.

=================

Following is the html page from “view source”. Certainly, I have simplified it , 'cause the original one has more than 500 lines. This simplified page has two buttons “Prev” & “Next”. When either of these button clicked, the IE security warning box is popped up.

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html
	PUBLIC "-//W3C//DTD XHTML Basic 1.0//EN"
	"[URL unfurl="true"]http://www.w3.org/TR/xhtml-basic/xhtml-basic10.dtd">[/URL]
<html xmlns="[URL unfurl="true"]http://www.w3.org/1999/xhtml"[/URL] lang="en-US">
<head>
<title>Field Selection</title>
<link rel="stylesheet" type="text/css" href="/styles/0_prodDocs.css" />
<script language="JavaScript" type="text/javascript">
function checkChanged(move) {
        if (parent.mode == 0) return parent.CommentsViewWin.checkChanged(move);
	if (move == null) return true;
        parent.go2(move);
}
</script>
</head>
<body onload="setBrowser();showLink();top.init('nav',false);">
<form method="post" action="saveData.pl" enctype="application/x-[URL unfurl="true"]www-form-urlencoded"[/URL] 
onsubmit="checkChanged(document.aForm.gotonum.value);return false;" name="aForm">
<table cellpadding="1" align="center" width="98%" cellspacing="0" bgcolor="#FFFFFF" border="0">
<tr height="2"><td /></tr> 
<tr class="bg2"><td>
<table cellpadding="1" width="100%" cellspacing="1">
<tr class="bg2">
<td colspan="2"><b>Sequential Navigation</b></td>
</tr> 
<tr valign="top" class="bg2">
<td>
[b]
<input type="button" value="Prev" 
onclick="if (checkChanged(null)) parent.prevBates();return false;" 
class="forminput" /> 

<input type="button" value="Next" 
onclick="if (checkChanged(null)) parent.nextBates();return false;" 
class="forminput" />
[/b]
</td> 
</tr>
</table>
</td>
</tr> 
</table>
</form>
</body>
</html>

Here is the implementation of js function checkChanged():

function checkChanged(move) {
alert("cyan 1, in checkChanged(), move = " + move + ", parent.mode = " + parent.mode);
  if (parent.mode == 0) return parent.CommentsViewWin.checkChanged(move);
  if (move == null) return true;
  parent.go2(move);
}
// where
// move = null & parent.mode = 0

Thank you for reading this lengthy message and thank you for your help.

 

[Xaqte]

I'm to the point of thinking it is the "window.open" function itself that is causing this problem.

It appears as if a number have had a similar problem.

My suggestion is to rethink/design your functionality that uses the window.open function in the perl script.

 

[cyan01]

Thank you, Xaqte.