GWT应用程序生成IE不安全项目警告

Question

Our service runs over HTTPS and we're currently experimenting with running a compiled GWT-application within it, only client side, no RPC:s.

It is included within an IFRAME, which seems to be recommended (here for example: http://developerlife.com/tutorials/?p=231 under the heading HTTPS and HTTP).

When doing certain operations within the GWT-app, IE it generates an insecure item warning.

http://bagonca.com/insecure_item.png

You may ask yourself why I don't use some nifty Firefox plugin to see what request might be over http. Or why I don't use HTTPWatch in Internet Explorer for the same reason. I have. There are no insecure requests that I can find, anywhere.

What I have read about on the other hand is that Internet Explorer throws this warning for iframes without the src attribute set. And that a potential fix is using src="javascript:false" for any iframe that is populated dynamically.

As I've said, the whole app is included via an IFRAME, and within it GWT itself generates a hidden IFRAME that looks like below.

<iframe tabIndex="-1" id="gwt-app" src="javascript:''" style="border-bottom: medium none; position: absolute; border-left: medium none; width: 0px; height: 0px; border-top: medium none; border-right: medium none;">

I've tried hard coding the src attribute above to a blank page that actually exists and is called with HTTPS on the same domain. I've tried the javascript:false; approach. No luck. The app works like a charm, but IE throws the useless, and false warning.

The warning turns up when I do certain actions within the app, not when it is loaded. Actually when dragging and dropping appointments within the http://code.google.com/p/gwt-calendar/ component.

Has anyone tangled with a similar issue before? Any clues?

Answer 1

Any clues?

I'm not sure in this case, but I did some experiments with iframes (on a somewhat similar topic) about a year ago. I would assume, that gwt-calendar tries to communicate with the host page via javascipt's parent reference. AFAIR, that's not allowed, when the host page isn't loaded from the same origin (including protocol).

Answer 2

There other snippets of Javascript that can also cause a problem. Please see:

http://blog.httpwatch.com/2009/09/17/even-more-problems-with-the-ie-8-mixed-content-warning/

Also, have a look through the pile of comments on:

http://blog.httpwatch.com/2009/04/23/fixing-the-ie-8-warning-do-you-want-to-view-only-the-webpage-content-that-was-delivered-securely/

Some of the commenters have found and fixed other causes of the warning too.

Answer 3

This can happen if you have your app running over HTTPS and are fetching images or some other resource over over plain HTTP . Check if you have image or css paths hardcoded to http://.

For example, if your app if running at https://example.com and you wish to load an image foo.jpg , the html you should be using is:

<img src="https://example.com/images/foo.jpg"/>

or (ideally)

<img src="images/foo.jpg"/>

and not

<img src="http://example.com/images/foo.jpg"/>

Note that the third example fetches the foo.jpg image over http instead of https . Hence it would cause the issue which you are facing.

To avoid such problems, the best practice is either to use ImageResources and relative URLs.