I have an HTTPS/SSL-protected site. On some pages, there are outside links to non-protected (http://) pages on other sites. We're not pulling content in from these sites, just providing direct links to them.

Problem is, while some browsers don't mind this, others complain about "both secure and nonsecure items" and warn the user about visiting a page with "mixed content", which can not only be disconcerting to naive users, but downright annoying when the warning is presented on every page (and multiple times per page when the user browses back and forth between pages).

MSFT's stance on this seems to be a mandate to site owners: "Don't mix content." I think that's overkill and a bit silly: when information is available on HTTP pages, HTTPS pages should be able to link to them (I'm saying "link to," and not "pull content from"; I understand that these are two distinct actions), instead of statically copying content from another site.

While I'm interested in experiences with this and opinions, I'd love to know whether there's a solution that would keep users of certain browsers happy, while not duplicating content from other sites.

There is no solution that I'm aware of. Either apply the SSL to the WHOLE site, or don't mix them. The warnings are subject to the USERS security settings in their browser.

Quote:

Originally Posted by LadynRed

There is no solution that I'm aware of. Either apply the SSL to the WHOLE site, or don't mix them.

Thanks. Not quite sure what you mean by applying to the whole site: our SSL cert does apply to our entire site, from the root on down. So it covers all our pages. Is that what you mean?

The trouble I'm having is when a(n SSL-authenticated) page contains a link to an outside, non-HTTPS site. Shouldn't the browser be smart enough to know that this is simply a link, and that the "content" isn't being pulled from another site?

Quote:

Originally Posted by LadynRed

The warnings are subject to the USERS security settings in their browser.

Right: but in my experimentation, I've seen that enabling "allow mixed content" doesn't seem to have any effect at all.

Providing a link on a secured page will not triggure the mixed content warning, but chances are you are including an external javascript file or css file or something that is not being called from a secured source.

In the includes, either call them as a relative link, or call the by this method:

src="//www.domain.com/javascript.js"

Quote:

Originally Posted by mgraphic

Providing a link on a secured page will not triggure the mixed content warning, but chances are you are including an external javascript file or css file or something that is not being called from a secured source.

I just ran through the generated source for the home page (which IE says is "mixed"), and there were absolutely no HTTP includes, only external links. The only actual file being included from HTTP (and from off-site at all) is the XHTML DTD declaration in the header:

Code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

Could that trigger this "mixed content" message in IE?

Quote:

Originally Posted by deesto

Could that trigger this "mixed content" message in IE?

No - But what about your javascripts, do any of them virtually write to the document including an image or something?

Better yet - send a link to the https page

Can't give a link to the site, as it's only accessible internally. But the HTML from the site index page is attached. Maybe you'll see something that I've missed?

The source paths all look good - But take a look at your javascripts too.

Also, I noticed you are including 7 external css files. Do any of these files use a full image path for backgrounds and such? If so, make sure they are a related path (related from the css file) and none are absolute paths (that declare http://)

Quote:

Shouldn't the browser be smart enough to know that this is simply a link, and that the "content" isn't being pulled from another site?

Nope. When the security settings are under the user's control, there's not a whole lot you can do.

Just to clear any confusion, an anchor link from a ssl page to a non-ssl page will not generate a "mixed-content" warning to the user, only non-ssl content that is downloaded to be displayed on a ssl page will generate a warning.

Quote:

Originally Posted by mgraphic

Just to clear any confusion, an anchor link from a ssl page to a non-ssl page will not generate a "mixed-content" warning to the user, only non-ssl content that is downloaded to be displayed on a ssl page will generate a warning.

That was my understanding as well, but as you see in the source for that page, there aren't any direct links to include any insecure content, only anchored references to off-site pages.

This site is on an open-source CMS called Plone. I'll have to look into this a bit further and ask if anyone's aware whether Plone's JS and other includes are pulled in via HTTP (even on a secure site).