[jira] Commented: (TOMAHAWK-1389) TableSuggestAjax - security popup in IE7 when using SSL

Tue, 27 Jan 2009 13:13:31 -0800 

    [ 
https://issues.apache.org/jira/browse/TOMAHAWK-1389?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12667810#action_12667810
 ] 

Simon Kitching commented on TOMAHAWK-1389:
------------------------------------------

IE7 has a paranoid security check: if the main page is loaded via an https url, 
then it complains if any resource loaded by the page (javascript, css, images) 
is loaded by a normal http url. This check really is too strict; it catches 
almost no real bugs, but complains about perfectly sane pages. Well, I suppose 
it might prevent "man in the middle" attacks that inject evil javascript. But 
in practice it causes far more pain than benefit.

Other browsers have more sense, and don't bother to apply this check. However 
given the number of IE7 installations, it is (sigh) reasonable to apply a 
workaround for this.

The fix is to ensure that when JSF components write references into the 
generated page (javascript, css, images, etc) the generated URL always uses the 
same scheme as the "main" page (ie https when the main page is https).

In this case, it means a code-chane to the TableSuggestAjax component.

Gerd, please "view source" on the problem page and report any urls in the page 
that are using "http://";. These are the ones that will need to be fixed.

> TableSuggestAjax - security popup in IE7 when using SSL
> -------------------------------------------------------
>
>                 Key: TOMAHAWK-1389
>                 URL: https://issues.apache.org/jira/browse/TOMAHAWK-1389
>             Project: MyFaces Tomahawk
>          Issue Type: Bug
>          Components: Alias Bean
>    Affects Versions: 1.1.8
>         Environment: myfaces 1.2.5
> tomahawk 1.1.8
> sandbox 1.1.7 snapshot
> facelets 1.1.14
> tomcat 6.16
> Apache mod_jk 2 (issue also comes up without mod_jk)
>            Reporter: Gerd Schaffer
>
> A security popup comes up when using TableSuggestAjax in Internet Explorer 7 
> (IE7) when using SSL / HTTPS with the message:
> Warning: This page contains secure and non secure items ...
> Warnung: Diese Seite enthält sichere und nicht sichere Objekte ...
> TableSuggestAjax works in IE6, Mozilla, Safari and Google Chrome - just IE7 
> has this security-issue.
> what is going on in TableSuggestAjax component? Is there a possibility to fix 
> this (with or without code change)?
> (telling IE7 not to report this errors (in ie-preferences) is not meant as 
> fix)
> thank you in advance!

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to