This page contains both secure and nonsecure items

Sometimes creating a secure page is easy – you just change the http to https and you’re done. On other times you open the page in Internet Explorer and it starts complaining about unsecure items on the page. It’s annoying because many users get scared away thinking something wrong is going on. Or it’s just annoying since you don’t want to click ok every time you load a page.

To remove this alert follow these simple rules. After you do something reload. If there’s no more alerts you succeeded. Otherwise go on. If you get in a jam leave a comment and I’ll try to find one and add a rule.

  1. Change all http:// resource links to https://. The doctype is not a problem. All others (images, css, javascripts, iframe pages) should be https://.
  2. Change all about:blank links (yep, these are unsecure) to a blank file that exists and is a https:// link.
  3. Install Fiddler and check if there are any hidden requests to http:// (it won’t show https:// requests with the default setting). Change them to https://
  4. Check if any iframes have # for src or the src is left blank. Change them to something that is a https:// link and exists. Looks like # is actually an alias to about:blank.
  5. Find any resources that return an error (404, 500). This one is tricky since it’s not really easy to set up an SSL proxy. Try checking the server’s access logs.

The trick behind these is that any data that comes from an unsecure source triggers the alert. Unsecure data might come from a http:// link OR a built in page. Built in pages are for example about:blank. BUT what you wouldn’t expect is that also Explorer’s built in error pages are unsecure. So if you get a 500 or 404 error and Explorer decides to display its internal error message you will get an alert.

This might not be all but I think it should be enough.

58 Responses to “This page contains both secure and nonsecure items”

  1. Craig says:

    Good article.
    Was exactly what I was looking for. I did a find and replace on http:// to https:// and the message went away.

    Cheers,
    Craig

  2. Lance says:

    This was perfect!! I have been racking my brain on the problems with this message popping for two days. Thank you so much for posting this!

    By the way–Fiddler is essential if people out there aren’t using it yet!

  3. Varnikov says:

    It’s better to install HTTP Analyzer for IE insteed of Fidder.

    Great article! Error resources have to check.

  4. Kristoffer says:

    No, its not better to grab one for IE then FF, always dev in FF and only check that it works in IE. also for IE bugs i use this procedure.

  5. @Varnikov: Any traffic analyzer should work just fine – the ones listed were free at time of writing.

    @Kristoffer: I don’t know what you’re trying to say – this post is written about a specific problem in IE that does not appear in FF.

  6. John Duke says:

    There is a really cool fix for this at http://www.htaccesselite.com/htaccess/fix-for-warning-page-contains-secure-and-nonsecure-items-vt129.html

    Basically you can use mod_rewrite in an htaccess file to internally redirect https:// to http:// so that you can post https://x.com/image.gif to eliminate the warning message, but the server will internally request http://x.com/image.gif instead!

  7. Murugesan says:

    I want to disable this warning message in each and every pages. Do u have any code to disable this one.?

    Regards
    Murugesan

  8. Brilliant! I’ve been pulling my hair out all day trying to find the problem with my page and this article solved it. Thank you very much!

  9. […] Google Analytics say that the most popular post by far is This page contains both secure and nonsecure items, JS:Sorted Table page trails at only 20% of hits of the ‘winner’. […]

  10. Hi,

    We are having some problems with this issue for this page:
    https://www.speedystamps.com.au/order.php?type=2

    Any idea’s would be great :)

    Thanks

  11. Pablo Alarcon says:

    Thank you very much, all my problems has gone !!

  12. Craig says:

    If you would like to turn this essage off for all websites in IE7. Navigate to Internet options. Under the security tab click on the internet icon. Then click the custom level button. One of the settings about half way down will be “Display mixed content”. Click enable under this option and that annoying litle window shoud never pop up again.

  13. Don says:

    Joshua Oliver said,
    on April 11th, 2007 at 03:25

    Hi,

    We are having some problems with this issue for this page:
    https://www.speedystamps.com.au/order.php?type=2

    Any idea’s would be great :)

    Thanks

    The problem is the Macromedia include:
    Fully qualified using Http://

  14. jesse says:

    I’m not a programmer – just an annoyed user. Everytime i load my company’s sharepoint page i get the security information popup. Is there a setting in IE that i can disable this? I use Mozilla for every other website, so i’m not concerned about my security settings. thanks.

  15. Michael says:

    Thank you for the helpful article. I was able to track my issue down to an iframe with missing ‘src’ attribute – looks like this is interpreted as ‘about:blank’ as well and leads to the same misbehavior

  16. sherif sakr says:

    Great thank you very match , it is very useful , all my problems a bout that issue overed

  17. Saj says:

    I was looking into the same issue.
    Thanks a lot.

  18. clay says:

    i tired this with ie7 and it didnt work for me. maybe i missed something but i could only fiz this problem by changing my browsers setttings.

  19. Katina says:

    Hi,

    Is this in IE or a website problem that can be totally resolved? I just opened a site and the pop-up is driving the members insane, including me.

    We have a SSL site, so how can the developer change the settings to get rid of this problem? Would he have to change many of the pages, or should I send an email to all of the members asking them to configure their IE browsers?

    I’m still stuck, sorry.

    Thank you for the great info.

    –Kat
    One Stop Write Shop
    http://www.onestopwriteshop.com
    Don’t worry Writers, we are lookint in to this issue!
    Help is on the way!!!!

  20. Chris says:

    Fiddler2 didn’t help me much. IE6 gives me that error, and Fiddler2 shows http requests, but lists them as a “HTTPS CONNECT Tunnel”. These requests are all to the root domain, so I’m not sure what they’re for or if they’re causing the error. All requests to actual content at listed as https…

  21. I have tried what i think is everything on a site we just developed and can’t figure it out. The site is http://www.te ch or ium.c om (remove spaces). To see the issue (in IE) just add any product to the cart and then go to check out and the infamous message secure/nonsecure appears. Any suggestions will be greatly appreciated. I have even tried removing the entire header and left column which use background images, and even disabled the CSS completely, to no avail.

    Thanks.

  22. Pablo says:

    Thanks a lot from Argentina
    (I found an iframe with missing ’src’ attribute).

  23. Scott says:

    My problem was that I had two iFrames, one that was visible, and one that could be toggled on and off in place of the other one. That hidden iFrame was without an src (souce). Once I added in a source file, everything was fine.
    Hope this helps someone pulling their hair out.

  24. [BH-152] “This page contains both secure and nonsecure items” message on Bhonline…

    We identfied 2 solutions for this issue.
    1. Change all http:// resource links to https:// in the application.
    2. Change Browser settings (set mixed content to enable under the Internet zone)

    Refer below urls for more info.

    http://ask-leo.c….

  25. […] Top content is still This page contains both secure and nonsecure items, Messing up the interface coming in at a distant second with merely a third of the visits. […]

  26. Evie says:

    I understand that links to pages within the website need to start with https instead of http, but what about links to other websites? I have two links at the bottom of my website to my other two websites. The more links the better right? They are advertising links. Would they cause this problem? Does this mean that for my site to be secure, I can’t have advertising links on it?

    I tried making only the 3 checkout pages secure, by making the Add to Cart button link to the https pages, but the other pages continue to point to https and still gettting that irritating message. How can you let only 3 pages be secure and let the rest be http? It seems that those 3 pages would not be able to have any links to the other pages in the website……HELP!

  27. Only the resource links are the ones that matter – links to other pages can easily be http://. Resources are images, CSS, JavaScript, Flashes, … If you paste the link here maybe we can help you.

  28. Jerry says:

    Great!
    This article really helped me. I had some sleepless nights while solving this “feature”. I didn’t even imagine that blank src in a frame tag may cause this. Our project is pretty big, only one stupid blank src caused problems (switching to https).

    Thank you!!!

  29. krupa says:

    PLZ HELP. I found the missing src in Iframe tag.. but i cant replace it with something else, since initially it has to be blank..and it gets assigned dynamically. what do i do ?

  30. change the src so a page that will be “empty” as in not have any content in the body of the html. it has to be a document and not a 404 though…

  31. Mark says:

    you can also try setting src=”javascript: false;” on your iframe

  32. James Walters says:

    I get this only on a page which has a variant of lightbox (rgsmoothgallery extension in a Typo3 v4.2 site), but it happens in IE 5, 6 & 7. If you click on “No” in the dreaded Security Alert pop-up, the images for the slideshow control buttons don’t display. After you reference all of them in the css with the whole url (http:// … ), those images all DO display even when you click on “No” … but that doesn’t stop the dreaded alert window popping up, so there must be something else in the js somewhere

  33. James I think you solved your own problem – the images are http:// links when they should be https://

  34. Mel Riffe says:

    Howdy, found your article today since I’m having the same problem. I’ve checked everything and the only thing I can find is the use of the xmlns attribute of the html tag. I’m trying to use xhtml in my pages. Could IE6 be complaining about this attribute? Here’s what I have in the page:

    Cheers,
    Mel

  35. linaldo says:

    think what i just have to do is to thank you folks your counsel and this page have been very helpful all the errors are gone now no more trouble on the web site

  36. If anyone else is having James’ issue with lightbox the offender is the line in lightbox.css containing url(data:image/gif;base64,AAAA). Remove that line and you should see the warning disappear.

  37. I did all the checks you guys post in here, I changed all the http: for https:, remove the src=”” and I even change href=”#” for href=””, but the site it is still say that “This page contains both ….” in IE6 only

  38. I’m guessing it’s the 404 errors on some images that trigger IE to use it’s own error which is insecure. Fix the 404s and you should be ok.

  39. sutr kam says:

    Hi I have some tag i put src= but the problem doesn’t solved.
    I know that there is another solution Tools-> Internet Options-> Security Tab-> Internet highlighted-> custom level-> miscellenious -> mixed content change from prompt to enable

    but i want to solve this from my page
    what to do now

  40. sutr kam says:

    In above post i have forgotten to mention the tag
    the tag is and the alert is not fired in ie7 but i have to use ie6 only what to do now

  41. Well to start of you should go through the check list and if you can’t find a problem post a link…

  42. Great article through which I have solved my all queries.

    Thanx mates..

  43. your article is excellent, it’s really help me, thanks so much

  44. TPav says:

    My situation turned out to be Flash related. The codebase tag. More info here. http://kb2.adobe.com/cps/165/tn_16588.html

  45. Per says:

    Thanks a lot for your article. Didn’t know that iframe-src left blank would produce this error. Helped us solve an old problem.

  46. Craig says:

    I had this message pop-up when I opened a window using window.open where the url was omitted:

    window.open (“”, “messageWindow”, “width=400, height=20”);

    This works in Firefox (without any errors) but IE decides to display about:blank which is insecure

    As stated above, you need to change the window.open to point to an empty page if you wish to do this:

    window.open (“empty.html”, “messageWindow”, “width=400, height=20”);

  47. neo_ramos says:

    After many hours of researching why IE 7 (only) was displaying the “this page contains both secure and etc…” message, I came across this blog.

    In my case, I searched for through all the code base and could not find the source of the problem.

    This was until I decided to search for “about:blank” through our JS frameworks.

    It just so happens that a jquery plugin we were using colorbox.js was loading an iframe with the src set to “about:blank”.

    As suggested on this site, I changed the source to a blank html page and problem went away.

    I am sure you saving many hours of research.

    Thank you so much for sharing your knowledge.

Leave a Reply