[CLOSED] iframes scr attribute and IE6 in SSL

[betamax]

duplicate.

[Daniil]

Hi,

Seems I made a big mistake.

I saw the two same threads and I have removed one of them. But you, at the same time, edited another. The problem - at the moment I can't see any way how to restore the text. I saw there was a lot of text. I guess you can be disappointed to restore it yourself...

Did you save the text anywhere to restore?

[betamax]

grrr. no.

The scenario consists of several autoload panels in a tab panel. When the page is loaded with mulltiple panels, which defer loading until the associated tab is clicked upon, in an SSL environment, a confirmatin box will ask user if the user wants to view mixed content.
Research points to severeal similar situations. One involved History.cs and this thread. In it you add a property to Core and RequestManager; IsSecureConnection, and logic to place values in src field while autoload is deferred.
Similar code exists in ext-base-debug.js

* URL to a blank file used by Ext when in secure mode for iframe src and onReady src to prevent
         * the IE insecure content warning (<tt>'about:blank'</tt>, except for IE in secure mode, which is <tt>'javascript:""'</tt>).
         * @type String
         */
        SSL_SECURE_URL : isSecure && isIE ? 'javascript:""' : 'about:blank',

This is mentioned in Extjs threads when the problem is discussed there. Another similar Ext.Net thread commented on by Geoffrey McGill talks about a companiopn property to AutoLoad called AutoLoadIframe. This seems like it was intended to directly address this problem, but I don't see that the property ever made it to v 1.0.

My situation is that we are now using ext.net in production and so picking up a fix in a recent revision will require a lot of QA test time since we are only on rev 3829. I am hoping that we can perhaps override a component of panel or tab panel to fix this. OR perhaps its already been addressed.
I also have an international costomer base ~5% of which still use IE6. This is usually because of their own internal security policies. Because of this we cannot ignor this annoyance, and we can't ask them to simply enable mixed content in IE settings.
Any guidance will be greatly appreciated.

[Vladimir]

Hi,

Sorry, I am not sure that clear understood the issue.
As I understood, IE users see warning about requesting non secure content if page is requested under SSL
Do you able to determine which resources are requested as non secure?
Please provide more details about how History is related with the issue? Do you see that warning if History widget is used in the page?

This is mentioned in Extjs threads when the problem is discussed there. Another similar Ext.Net thread commented on by Geoffrey McGill talks about a companiopn property to AutoLoad called AutoLoadIframe. This seems like it was intended to directly address this problem, but I don't see that the property ever made it to v 1.0.

AutoLoadIframe was initially added for creating iframe. That property was removed after AutoLoad implementation, now need to use AutoLoad and Mode="IFrame"

Do you able provide test sample?

[betamax]

create a tabpanel, add some panels and set autoload to valid relative paths. run in ssl environment. when main page loads you will be asked if you want to view mixed content. you will be asked for each panel you click. It is because of the same reason other articles\threads quote. src=about:blank or "" causes IE6 to think the resource is not from HTTPS because about:blank is a local (internal page and thus http) and src="" resolves to about:blank
Detailed quetions take a long time to write. And I had to do this one twice. Do I really need to create a couple tabs in a tab panel too?

code from history thread:

 string src = X.IsSecureConnection && X.IsIE ? "javascript<B></B>:''" : "about<B></B>:blank"; 
  
    writer.Write("<input type=\"hidden\" id=\"x-history-field\" />"); 
    writer.Write(string.Format("<iframe id=\"x-history-frame\" src=\"{0}\"></iframe>", src));

History thread is only relevant because it resulted in the mixed content confirmation box, and utilizes same solution as would seem necessary to fix this.

[Vladimir]

Here is my test case, I don't see any waring udner IE6 and https protocol

<%@ Page Language="C#" %>
<%@ Register Assembly="Ext.Net" Namespace="Ext.Net" TagPrefix="ext" %>


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
    <title>Ext.NET Example</title>
</head>
<body>
    <form runat="server">
        <ext:ResourceManager runat="server" />
        <ext:TabPanel runat="server" Height="200">
            <Items>
                <ext:Panel runat="server" Title="Tab 1">
                    <AutoLoad Mode="IFrame" Url="Child.aspx" />
                </ext:Panel>
                
                <ext:Panel runat="server" Title="Tab 2">
                    <AutoLoad Mode="IFrame" Url="Child.aspx" />
                </ext:Panel>
                
                <ext:Panel runat="server" Title="Tab 3">
                    <AutoLoad Mode="IFrame" Url="Child.aspx" />
                </ext:Panel>
            </Items>
        </ext:TabPanel>
        
        <ext:History runat="server" />
    </form>
</body>
</html>

It is because of the same reason other articles\threads quote. src=about:blank or "" causes IE6 to think the resource is not from HTTPS because about:blank is a local (internal page and thus http) and src="" resolves to about:blank

If you set Url for AutoLoad (as you mentioned before, "set autoload to valid relative paths") then where "about:blank" or empty url is used?

[betamax]

With no modification at all, your sample produces a mixed content alert, in IE6, in an SSL enviroment, everytime the default page loads.
There is no need for a History control.

Are you using IE6?
Are you using an IIS SSL env?
These are the only two variables I see.

[Vladimir]

Yes, I used IE6 and IIS with https
I am not sure what can give that warning in that example. IFrames are created with url is provided by developer (blank url is not used)
Do you able to provide online sample?

[betamax]

In my original post, that got erased, I stated what revision I was on. That turns out to be the key peice of information. It was the History control after all, and the fix implememted for us, around rev 3829, solved that. Our production env is currently on rev 3671, and that is the ext dll I was testing against on this issue.

Thanks for the help ion narrowing this down. It will provide a good argument to managment for gettting a more recent revision.