5

I have an HTTP webpage with a piece of JavaScript that adds an iframe to the page. The iframe is pointing to an HTTPS page. In the IE11 developer console, this error appears:

SEC7111: HTTPS security is compromised by https://www.example.com.

This is not the typical mixed content browser warning when you have an HTTPS page loading an HTTP resource. This is the opposite (HTTPS resource on an HTTP page). Neither Chrome or Firefox give any warning on this page. Just IE11 gives the error. My IE11 setting is to Prompt for mixed content, however it doesn't actually prompt and is actually loading the HTTPS iframe. The only indication of mixed content in IE11 is the error in the developer console.

Question 1: Will having an HTTPS resource on an HTTP page cause problems? Are there other browsers that may either refuse to load the iframe or display a message/dialog prompting whether to load mixed content? Ideally I'd like the iframe to load and for there not to be any browser warnings. My instincts are that loading HTTPS content on an HTTP page should be alright, which I'm sure is why Firefox and Chrome are not displaying any messages.

Interestingly, I have run across some HTTP webpages that have an HTTPS script tag on them. For example a script tag to https://apis.google.com/js/plusone.js on an HTTP page. IE11 does not give any errors in the developer console on this page. Because both the script tag and iframe tag are considered mixed "active" content tags, I would expect that IE11 would also raise an error for this HTTPS script tag, but it doesn't. Question 2, what is the reason IE11 doesn't report a mixed content error in this scenario?

Ben Amada
  • 151
  • 1
  • 1
  • 3
  • possible duplicate of http://stackoverflow.com/questions/28742523/web-application-fails-to-load-an-iframe-in-ie-with-error-as-navigation-to-the-w – Daniel Ruf Nov 26 '15 at 12:25
  • I think that one is different. I'm not getting any content being blocked and not getting any certificate errors. My question here is about this IE error message in relation to an HTTPS resource on an HTTP page which that other question is not dealing with. – Ben Amada Nov 26 '15 at 17:03

1 Answers1

1

In the case of an HTTPS iFrame from a different domain, two distinct information sources are accessed. The purpose of Microsoft's error message in the developer console may just be to remind unexperienced developers that the information source in the HTTPS iFrame might need better protection.

In the case of an HTTPS script no additional information source is accessed other than the main HTTP page, because scripts from third party domains are commonly used mostly for loading libraries. In such case there is no secure information source that needs better protection.

On a side note, I believe that loading HTTPS iFrames, scripts and resources from HTTP pages is still adviseable because it prevents attacks at backbone and Internet provider level.

Enos D'Andrea
  • 1,047
  • 5
  • 12