Flex 3 : IE 6 : SSL and mixed secure items

9 09 2008


This wasn’t a fun one to try to debug.

Essentially, I moved a flex project over to SSL. This meant a simple header redirect on all requests and using the Secure AMF channel for remoting. No problems.

But wait, IE 6 starts throwing me “This page contains both secure and nonsecure items. Do you want to display the nonsecure items?”

This will be familiar to many people, and it would probably be acceptable if it didn’t keep reloading the page no matter which button I pressed.

One word – WTF? I checked EVERY link and reference and everything was relative and thus HTTPS. FireFox reported that everything was hunky dory, even the favicon, so WTF?

Turns out IE6 doesn’t like iFrame tags without a SRC attribute. Fine. But so what? I’m not using iFrames without SRC tags. Hangabout, checking history.js which is deployed alongside any Flex app, you’ll notice around line 381:

var _initialize = function () {
if (browser.ie)
var scripts = document.getElementsByTagName('script');
for (var i = 0, s; s = scripts[i]; i++) {
if (s.src.indexOf("history.js") > -1) {
var iframe_location = (new String(s.src)).replace("history.js", "historyFrame.html");
historyFrameSourcePrefix = iframe_location + "?";
var src = historyFrameSourcePrefix;
var iframe = document.createElement("iframe");
iframe.id = 'ie_historyFrame';
iframe.name = 'ie_historyFrame';
//iframe.src = historyFrameSourcePrefix;
try {
} catch(e) {
setTimeout(function() {
}, 0);


Notice the commented line? Strange. I’m not sure why it’s been commented by Adobe, but this is our problem right here. This iframe is causing IE6 to have a cry under SSL.

I’ve uncommented it and since I’m using BrowserManagement instead of HistoryManagement, have found that everything is worked as expected. I’m too tired to go looking to see what minute repercussions there may be, but if anyone has anything to add, please be my guest.