|
home / issues / issue #29
| Issue: | Mixed Content Security Warnings with IFrame Masking |
| Browser: | IE 5.5+ |
| Platform: | Windows |
| Description: | When using the
IFrame masking method to allow HierMenus to be displayed over the top of drop down
form elements, Flash or Java Applets, or IFrames (see Known Issue #1)
on a secure (HTTPS) site, you may receive multiple mixed content security warnings
from Internet Explorer. |
| Cause: | The warnings are generated
when the IFrames that will be inserted between the menu and the other page elements
are created. If the page that is loaded into the IFrame is not also from the
same HTTPS server that the actual HTML page is from, Internet Explorer generates
a warning about potentially non-secure content being retrieved as part of your
secure page. This warning is also triggered if you create and dynamically add
an IFrame to the page without any specified content.
We initially identified and discussed this issue as a part of the
HierMenus 6.0.1 release. Our initial 6.0 HierMenus
did not load any page into the IFrame, which we then unfortunately learned
triggers the content warnings in the same manner as a non-https page would.
In version 6.0.1, we thought we could bypass the warnings by loading a "void"
page into the IFrame:
this.IEMask.src="javascript:void(0)";
While this fix removed the warnings in our own testing here, several users have
written to let us know that the problem still remains in their implementations.
Hence, the issue remains open at this time. |
| Workaround: | The only workaround
we've found that removes the security warnings in all situations is to load an
actual page into the IFrames from the secure server as part of the IFrame mask
creation process. You can do this by first creating a blank page on your server,
and then altering the HM_f_IEMaskCreate in the HM_Loader file
to load your new page. Specifically, find this line:
this.IEMask.src="javascript:void(0)";
and change it to something like this:
this.IEMask.src="/myEmptyPage.html";
The process is a little trickier in the space optimized loader; but if you
search the file for the javascript:void(0) keyword you should be
able to find and change it easily enough. |
| Posted: | June 17, 2005 |
|