How To Tell What Files IE Thinks Are “nonsecure”?

Question

We have a CMS system whose web interface gets served over HTTPS. This works beautifully for Firefox, but when we load it in IE6 or IE7, it complains that \"This page contain

Answer 1

Firefox has a number of bugs in mixed content detection. Generally you should try using Fiddler to spot insecure resources.

If you install a tool I wrote (www.bayden.com/dl/scriptfreesetup.exe) you will get a different mixed content prompt which shows the exact URL of the first insecure resource on the page. That tool is basically a prototype and you should uninstall it when you're done with it.

Answer 2

Use Fiddler to watch the traffic between the server and IE.

Be sure to go to Tools > Fiddler Options... > HTTPS > and check 'Decrypt HTTPS traffic'

Any non-HTTPS traffic generated between any server and IE should be easy to spot in the Web Sessions list.

Answer 3

I used Eric's tool (thanks Eric you saved me hours...) and it turns out that IE6 treats a background image specified with a relative path as nonsecure content. Even though it actually requests it over https. So if you're stumped - converting your relative paths to absolute ones might really help...

Answer 4

If you can't see anything that isn't using SSL, then this is usually down to a broken SSL certificate somewhere. I don't know of anything off-hand that will tell you what exactly what the problem is, but you can get a list of everything that's loaded easily enough.

The media tab on Firefox's 'page info' dialog (right click on the page) will do it, it might also be worth having a go with Fiddler (which is an excellent, and extremely useful piece of software).

Answer 5

Are one or more resources (CSS url-image ref overlooked easily) pointing to a subdomain that's not covered by the certificate (https://www.example.com vs https://static.example.com)?