How to avoid "show all content" msg on HTTPS site in IE9? - https

We have an a HTTPS site that brings up a page from a different site of ours that’s HTTP.
In IE (9), we get the message at the bottom of the page:
“Only secure content is displayed. What’s the risk? [Show all content]”.
When the button is clicked, it closes the lightbox-ish control that's open and returns to the page it was overlaid on.
Does anyone know how to avoid this?
In the HTTP site’s page, one guy here had the idea to add, at the end of On_Load, the following to turn off cross-site scripting protection:
this.Response.Headers.Add("X-XSS-Protection", "0");
Both sites are C# / ASP.NET 4.0.
Thanks in advance!

Add the url to your trusted sites, it's the only way if you don't send all data through https.
Internet Options -> Security -> Trusted Sites -> Sites.
If this is something that needs to be company wide, I would recommend pushing out the rule via a group policy.
Alternatively, allow access the control using https on the other site (if you can) and reference that - the warning will disappear.

The real setting to enable here is to "Display mixed content" for the zone of the site you want. If the site is on your Intranet, you select Intranet zone in the Security settings, then Custom level. If it's an Internet site, you go there and go to Custom level.
There, you should see the "Display mixed content" setting, and simply select "Enable", then "OK" your way out of the dialogs.
Reference: https://www.mydigitallife.net/how-to-disable-only-secure-content-is-displayed-in-ie-always-show-all-mixed-content/

Related

How to handle Strict Transport Security (HSTS) using JMeter

I'm trying to record traffic off a website which uses HTTP Strict Transport Security (HSTS). As a result it is not possible to add an exception for the certificate. This means I cannot record a session.
Anyone know how I can handle this?
Websites using HSTS won't allow you to add exception for a server. What you can do is to tweek your browser to allow/bypass the HSTS policy. Here's what you can do in case of Firefox -
Type about:support in your browser to open up Troubleshooting Information page. (Alternatively, select 'Troubleshooting Information' from the Help Menu).
Navigate to the 'Profile Folder' row in the table shown on the page, and click the button 'Open Folder'
This would open up a new explorer window for the firefox profile directory. Keeping this explorer window open, close/quit Firefox.
Open the file SiteSecurityServiceState.txt and delete any rows containing your server name you need to access. Save this file.
After this, when you launch firefox, it would ignore HSTS restriction.
Source : Mozilla Support
An alternate solution is to use the JMeter Chrome Plugin - BlazeMeter
You have option of using HAR to jmeter :
https://blog.flood.io/convert-har-files-to-jmeter-test-plans/
But showing your error might help

going from http to https version of site in firefox has insecure elements on first load

Our e-commerce site uses http for general site browsing to https for checkout. This process works in all browsers except for firefox. On firefox, we are seeing a an error that not all elements are secure.
Using forefox:
Go to http://www.creativecrash.com/marketplace/3d-models/vehicle/cars/sedan/c/seat-ibiza-2013-5door
click Add to Cart
click Checkout
Now the site should not be partially secure. If you click the icon beside the URL it should say "Your connection to this site is only partially encrypted, and does not prevent eavesdropping".
Now reload the page. It should suddenly be fully secure.
Any ideas on why this is happening and how we can fix it would be most appreciated.

plain http image on https/ssl page = warning

I've found the page that plain http images with a https/ssl page can't be displayed without warnings. Are there any way to display a picture from another http:// web-site on your https://web-site without warnings? (suppose you have a permission to display that picture on you web-site).
Chrome put a yellow triangle on SSL locker: "...However, this page includes other resources, that are not secure..."
IE displays a warning when a page loads: "Do you want to view only the webpage content that was delivered securely?"
So, how to display a picture on https:// page if it is on another web-server?
You can use the information on this article on Encosia. Basically you have to use a // syntax for your urls in order to use the same protocol in all cases. For example, if you have a https request, the following
//ajax.googleapis.com/ajax/libs/jquery/1.4.4/jquery.min.js
will hit google's CDN using the https protocol. However, if you don't have control over the other server, i think you're out of luck. If you do have control over the other server i'd recommend using the method described in the article above by allowing your content server to serve both protocols.

Internet Explorer does not load images cross domain (https)

this is an updated question:
I am trying to include a picture on an external server.
PROBLEM HERE: my home website is using https:// and the picture on the external server is just http. The picture is fine (tested) but IE seems not to allow to access http:// sources when on a https:// website.
I am looking for html or javascript code to allow access for loading pictures from other domain WHEN my home domain is HTTPS and my external domain is HTTP
thanks
Klaus
I'm afraid this is a feature of the browser. When you enter a page like this on IE and some other browsers, it will give the user the option to disallow "unsecured" elements on the page (this includes elements served over HTTP); and will not display them. Your page cannot override the users' action.

Easy way to determine what content is not delivered using a secure HTTPS connection?

I have some pages that are sent via HTTPS. Internet Explorer sometimes complains about "This webpage contains content that will not be delivered using a secure HTTPS".
I looked in the html source to confirm all content calls (href, src, etc...) are sent via https. My CSS files use relative paths. But I'm still getting these warnings.
Is there an easy way to track down which items are not sent via HTTPS?
You could fire up Fiddler to see what exactly IE is requesting over regular HTTP.
In Fiddler's default configuration, HTTPS requests will show up with a lock and CONNECT as the host. HTTP requests will have a non-lock icon.
(source: josh3736.net)
I usually use Firefox + Firebug (the "Net" tab) to find the offending request. You could also use Fiddler for this. (with any browser)
I've used the following site before - I finding it easier than loading up firebug / fiddler.
http://www.whynopadlock.com/
You can use SslCheck
It's a free online tool that crawls a website recursively (following all internal links) and scans for unsecure content - images, scripts and CSS.
(disclaimer: I'm one of the developers)
In Google Chrome, similar to Firefox w/ FireBug, you can use the 'Network' tab of the Developer Tools console.
Open the Developers Tools console, go to the 'Network' tab, and reload the target page. Any warnings with the page, such as insecure content being loaded, will be indicated with the number of warning and an 'alert' icon in the bottom right corner (Chrome v23.x). Click on the icon and a list of the warnings, in this case, the resources being loaded insecurely, will be displayed.
Using following tools could help:
Firefox's FireBug . opening tab Network shows you connection details to multiple resource
Fiddler - acts as sniffer allows you explore details of connect.
using firefox - view generated source vs viewing source
there is probably a javascript file that is creating a div/iframe that is insecure

Resources