That so-called security feature is still in IE 7 ?!


I believe you saw this warning window for many times when using IE. The reason is the web page of HTTPS URL includes both secure (HTTPS) and nonsecure (HTTP) content. When you view page source, you can see there is image, CSS source, JavaScript src, or other content that begins with "http://", not "https://".

I do not know the reason why IE team still keep this "feature" in IE 7:

1) Why should developer put HTTPS for a common image in web page? A common image should be fetched using HTTP directly because it is also shared by other nonsecure site
2) If I embed google map in a secure site, why should I use HTTPS for google content?

Although developers can write code to map URL from HTTPS to HTTP on web server to solve the problem, although users can change IE security options to enable "Display mixed content", one thing is for sure: This feature of IE is useless and annoying.

2 comments:

Rob Garrett said...

I think the reason MS added this feature is to alert the user that some unprotected resource is linked to the supposedly secure page.

I hear your point about images, Google maps etc, but imagine that the author had linked to a web service (JSON) or some service that collects data from the page (AJAX). Wouldn't you want to know that as a user before submitting your credit card or SSN?

Generally, secure sites for transactional purposes are secured for the entire domain (secure.domain.com), so images, CSS, script etc is covered under HTTPS. It's only when SSL is used for other purposes where mixed content is present (blogs, community sites where users add links to remote sites) that this problem arises.

You may have heard of "cross-site-script-infection". This is a good example why this warning dialog is required. If a malicious site installs naughty script in a parallel open page, and this script sends critical data out to the a hacker web site, then the user should know about it.

Jun Meng said...

The problem is you can embed normal HTTP "link" in the page without that warning. Only when the page has HTTP "content", does that warning appear.

For Cross Site Scripting Attack, the warning will not be shown because the page will only include HTTP "link" to attacker's site, not "content" from attacker's site.

For example: There is no warning for <a href="http://somesite.com">. But you will see the warning when the page has <script src="http://somesite.com/script.js"> because the script "content" is downloaded as part of the page.