Flex 3 : IE 6 : SSL and mixed secure items

9 09 2008

Bleh.

This wasn’t a fun one to try to debug.

Essentially, I moved a flex project over to SSL. This meant a simple header redirect on all requests and using the Secure AMF channel for remoting. No problems.

But wait, IE 6 starts throwing me “This page contains both secure and nonsecure items. Do you want to display the nonsecure items?”

This will be familiar to many people, and it would probably be acceptable if it didn’t keep reloading the page no matter which button I pressed.

One word – WTF? I checked EVERY link and reference and everything was relative and thus HTTPS. FireFox reported that everything was hunky dory, even the favicon, so WTF?

Turns out IE6 doesn’t like iFrame tags without a SRC attribute. Fine. But so what? I’m not using iFrames without SRC tags. Hangabout, checking history.js which is deployed alongside any Flex app, you’ll notice around line 381:

var _initialize = function () {
if (browser.ie)
{
var scripts = document.getElementsByTagName('script');
for (var i = 0, s; s = scripts[i]; i++) {
if (s.src.indexOf("history.js") > -1) {
var iframe_location = (new String(s.src)).replace("history.js", "historyFrame.html");
}
}
historyFrameSourcePrefix = iframe_location + "?";
var src = historyFrameSourcePrefix;
var iframe = document.createElement("iframe");
iframe.id = 'ie_historyFrame';
iframe.name = 'ie_historyFrame';
//iframe.src = historyFrameSourcePrefix;
try {
document.body.appendChild(iframe);
} catch(e) {
setTimeout(function() {
document.body.appendChild(iframe);
}, 0);
}
}

SOLUTION:

Notice the commented line? Strange. I’m not sure why it’s been commented by Adobe, but this is our problem right here. This iframe is causing IE6 to have a cry under SSL.

I’ve uncommented it and since I’m using BrowserManagement instead of HistoryManagement, have found that everything is worked as expected. I’m too tired to go looking to see what minute repercussions there may be, but if anyone has anything to add, please be my guest.

Advertisements

Actions

Information

8 responses

25 10 2008
Jeff Dafoe

Thank you for this post! We were pulling our hair out trying to find the cause of this issue.

-Jeff

13 11 2008
Tracy Spratt

Me too! Only one hit on google for: “Flex history script error ie_historyframe” and it was the solution! That is a first for me!

And that seems like a generic fix/problem for IE6, I am not using SSL.

Thanks,
Tracy

11 12 2008
Greg

Thanks for this — I had the same issue with the Galleria plugin for jQuery. It was inserting an iframe without a src attribute. Adding a dummy src made IE6 happy again.

2 02 2009
ScottD

Justin – Thanks, this worked as advertised and was an easy fix. Cheers.

12 03 2009
Sergey

Thanks a million for this post!!!

I’ve spent so much time trying to debug this issue.

After reading this I also found an entry on adobe website that talks about it:

http://bugs.adobe.com/jira/browse/SDK-14289

Thomas Fowler suggests that iframe.src = ‘javascript:false;’; will work better than uncommenting //iframe.src = historyFrameSourcePrefix;

Take a look!

Cheers!

24 09 2009
kdrumm

Thanks Sergey and Justin. This worked great!

16 10 2009
Robert Klaas

I figured out that if you are running your Flex/Flash application on a Secure htts site, all outgoing links must be secure links. When Flex Builder builds the HTML wrapper, there is a codebase attribute inside of the tag. The code base url is a http:// link. If you remove the codebase tag or change it to https:// it seems to stop that error.

This article goes into depth.
http://www.zorked.com/security/ie-mixed-content-secure-nonsecure-items/

27 07 2010
Dave

top 10 post for sure.. Thanks for posting this frustrating fix.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: