Loading ...
Sorry, an error occurred while loading the content.

Re: [oL] Nonsecure Message

Expand Messages
  • Foteos Macrides
    Subject: Re: [oL] Nonsecure Message Ron wrote: For testing purposes I have security in IE set to the default settings. (Which is what the majority of people
    Message 1 of 11 , Jan 1, 2004
    • 0 Attachment
      Subject: Re: [oL] Nonsecure Message
       
      Ron wrote:
      For testing purposes I have security in IE set to the default settings. (Which is what the majority of people will use.)

      Is it possible that you have the "Display Mixed Content" setting under Miscellaneous set to "Disabled"? If so, you will not get the message. The default setting is "Prompt".

      If I change this to Disabled, then I do not get the nonsecuremessage.
       
       
      and Dennis wrote:
      And when I clicked the links for overlib popups,  I GOT RON'S REPORTED SECURITY MESSAGE before the popups, and the SSL lock went away, as he reported.

      Fote, your browser is set up different from Ron's and mine.  That is either a feature or a bug.
      Dennis, I assume you used your XP.  I'm using Win9x.  Ron, are you using an NT/2000/XP system? Anyway, my guess is that this has to do with DOS-heritage versus NT-heritage PCs.
       
      I looked at "Tools/Internet Options/Advanced" and observed that, in my browser, I have "Security/Warn if changing between secure and Not Secure mode" turned OFF.  In other words, I don't expect to get this warning.  But I got it anyway. ?????
      Dennis, That warning has to do with going from an encrypted to unencrypted main document.  If you enable the warning, you'll get it after loading Ron's https main entry page and then clicking on one of the menu bar links that have http URLs.  MS normally leaves that warning disabled as the ("medium" security) default.
       
      The warning of concern is "Mixed Content" meaning the loaded document has stuff fetched via both https and http URLs.  To answer Ron's question, that is enabled for me, and it does normally work in that I get it on occasion at investment sites -- e.g., because the server administrator had some decorative or shim image set up for fetching via http in what is otherwise an encrypted document.
       
      The strange thing is that you don't get the warning until you click on the link for the popup.  That link has a javascript:void(0); URL, which logically is nothing and keeps you in the same document, but also is a non-https URL that at that point has been "handled" within an encrypted document.  Dennis and I can only offer guesses which we can't test ourselves, but my first guess would be that there may be an event handler bug for IE on your PCs brought out via the onclick.  Ron, try changing the invocation event for the popups from onclick to onmouseover, so there is no issue of fetching a resource (activating a URL), albeit void.  If that turns out to be a workaround, also try instead forcing a return value of false for the onclick event:
       
      onclick="overlib(...);return false;"
       
      Fote
      --
       
    • warrisr
      Hello Fote, I tried both of your suggestions. Changed the invocation event to onmouseover and tried a forced return value of false. The page is still doing the
      Message 2 of 11 , Jan 1, 2004
      • 0 Attachment
        Hello Fote,

        I tried both of your suggestions. Changed the invocation event to
        onmouseover and tried a forced return value of false. The page is
        still doing the same thing. I am using Windows XP.

        I also tried the page on my Win98/IE5 machine and as you reported it
        works fine. No nonsecured error message and the lock does not
        disappear.

        Also, I created a test page so that I could try various things.
        Links with your suggested changes are on that page at
        https://luxeonstar.fluidhosting.com/credit-card-test.php

        Ron


        --- In overlib@yahoogroups.com, "Foteos Macrides" <fote@m...> wrote:
        > The strange thing is that you don't get the warning until you
        click on the link for the popup. That link has a javascript:void
        (0); URL, which logically is nothing and keeps you in the same
        document, but also is a non-https URL that at that point has
        been "handled" within an encrypted document. Dennis and I can only
        offer guesses which we can't test ourselves, but my first guess
        would be that there may be an event handler bug for IE on your PCs
        brought out via the onclick. Ron, try changing the invocation event
        for the popups from onclick to onmouseover, so there is no issue of
        fetching a resource (activating a URL), albeit void. If that turns
        out to be a workaround, also try instead forcing a return value of
        false for the onclick event:
        >
        > onclick="overlib(...);return false;"
        >
        > Fote
        > --
      • Foteos Macrides
        ... From: warrisr To: overlib@yahoogroups.com Sent: Thursday, January 01, 2004 1:36 PM Subject: [oL] Re: Nonsecure Message Hello Fote, I tried both of your
        Message 3 of 11 , Jan 2, 2004
        • 0 Attachment
          ----- Original Message -----
          From: warrisr
          Sent: Thursday, January 01, 2004 1:36 PM
          Subject: [oL] Re: Nonsecure Message
           
          Hello Fote,

          I tried both of your suggestions. Changed the invocation event to onmouseover and tried a forced return value of false. The page is still doing the same thing. I am using Windows XP.

          I also tried the page on my Win98/IE5 machine and as you reported it works fine. No nonsecured error message and the lock does not disappear.

          Also, I created a test page so that I could try various things. Links with your suggested changes are on that page at
          https://luxeonstar.fluidhosting.com/credit-card-test.php

          Ron
          This still looks like a bug in IE on XP and possibly earlier NT-based systems, such that we need to come up with a "workaround."  Unfortunately, I've been "scratching my head" some more plus have "slept on it" but as yet can't think of any "decent" workarounds to try other than these two which didn't do the job.
           
          In the meantime, let's try to rule out some other possibilities, even though they are very unlikely.
           
          Let's rule out that the server-side php scripting in conjunction with SSL encoding has anything to do with it.  Presumably, the easiest way to do that is -- on your Win98/IE5 machine which shows no problem -- to use View Source and then Save to create a local, un-encrypted html file for what you are receiving and decrypting via the https://luxeonstar.fluidhosting.com/credit-card-test.php URL, and then put that html file on your server for fetching with IE on XP via an https URL such that you get SSL encryption but no involvement of php.
           
          Let's also rule out that any of the overlib plugin modules have anything to do with it, so try it without importing those.  I really can't image how the overlibmws_exclusive.js module might have anything to do with it, but temporarily remove that anyway, and when you do, note that you must also temporarily remove the EXCLUSIVE command from the overlib calls.  Note also that though you are presently importing overlibmws_hide.js, I just noticed via View Source that you have not included any of its commands in your overlib calls, so it shouldn't actually be doing anything, but temporarily remove that as well to be certain it's not involved. Then, I presume you want its select box hiding for some browsers, in which case you must include its HIDESELECTBOX command in your overlib calls (unless you've set that to on as the default in your core module's configuration section, which I didn't check).  Also, If you are seeking to support NS4, you must encase the form (on the pages which have it) and the other select boxes in positioned divs and use the divs' ids as parameters for the module's HIDEBYIDNS4 command (see the http://www.macridesweb.com/oltest/hide.html demo file).
           
          The plugin of perhaps valid concern is overlibmws_iframe.js, which is using an iframe shim for IE v5.5+ browsers.  Iframe shims are themselves a "workaround" by MS for some "poorly implemented" code in IE, and are likely to involve somewhat different code in Win9x versus XP and earlier NT-based systems.  So let's do see if we can clearly rule out the iframe shims as a factor in the problem with SSL-encrypted files.
           
          Fote
          --
           
        • warrisr
          Hello Fote, Well I narrowed it down and found the problem, and as you suspected it is the overlibmws_iframe.js plug-in. As soon as I removed that the problem
          Message 4 of 11 , Jan 3, 2004
          • 0 Attachment
            Hello Fote,

            Well I narrowed it down and found the problem, and as you suspected
            it is the overlibmws_iframe.js plug-in. As soon as I removed that
            the problem disappeared.

            Of course that now leaves me with the problem that the
            overlibmws_iframe.js was meant to solve. However as chance would
            have it, none of my current pages have any form elements behind the
            pop-ups. But as the pages change over time this will undoubtedly
            change.

            In the meantime, I will not use this plug-in.

            Hopefully you can come up with a workaround! I really like
            overlibmws. In all other respects it does exactly what I need.

            Cheers!

            Ron

            --- In overlib@yahoogroups.com, "Foteos Macrides" <fote@m...> wrote:

            <snip>

            > The plugin of perhaps valid concern is overlibmws_iframe.js, which
            is using an iframe shim for IE v5.5+ browsers. Iframe shims are
            themselves a "workaround" by MS for some "poorly implemented" code
            in IE, and are likely to involve somewhat different code in Win9x
            versus XP and earlier NT-based systems. So let's do see if we can
            clearly rule out the iframe shims as a factor in the problem with
            SSL-encrypted files.
            >
            > Fote
            > --
          • Foteos Macrides
            ... From: warrisr To: overlib@yahoogroups.com Sent: Saturday, January 03, 2004 2:53 PM Subject: [oL] Re: Nonsecure Message Hello Fote, Well I narrowed it down
            Message 5 of 11 , Jan 3, 2004
            • 0 Attachment
              ----- Original Message -----
              From: warrisr
              Sent: Saturday, January 03, 2004 2:53 PM
              Subject: [oL] Re: Nonsecure Message
               
              Hello Fote,

              Well I narrowed it down and found the problem, and as you suspected it is the overlibmws_iframe.js plug-in. As soon as I removed that the problem disappeared.

              Of course that now leaves me with the problem that the overlibmws_iframe.js was meant to solve. However as chance would have it, none of my current pages have any form elements behind the pop-ups. But as the pages change over time this will undoubtedly change.

              In the meantime, I will not use this plug-in.

              Hopefully you can come up with a workaround! I really like overlibmws. In all other respects it does exactly what I need.

              Cheers!

              Ron
              Ron,
               
              It is good to know the actual nature of the problem, but I've been thinking about what might be a workaround if it did turn out to be with iframe shims on XP (and probably earlier NT-based systems), and I have not yet had any good ideas.  I will, of course, keep thinking about it.
               
              Note that it's not quite as bad a situation as you might initially think, in that I already designed the code such that when you don't import the iframe plugin module then the commands in the overlibmws_hide.js plugin module for hiding elements that might otherwise obscure overlib popups are also implemented for IE v5.5+.  For example, in your https://luxeonstar.fluidhosting.com/credit-card-test.php test file the popup with CVV info is large enough to overlap the select box for currency choices, so that the box obscures the popup at upper right.  If you add HIDESELECTBOXES to the overlib call, it will hide any select boxes that would otherwise overlap, and thus prevent obscuring, for IE 5.5 and 6.0 just as for the other browsers which need that feature.  The id-based hiding commands in overlibmws_hide.js similarly work for IE5.5+ when overlibmws_iframe.js is not imported (except HIDEBYIDNS4 which is specific for Netscape v4.x, as discussed earlier).
               
              In addition to the iframe shim workaround, MS generated the proprietary windows.createPopup method as a workaround for its poor implementation of DHTML when a page also has objects or elements that use system controls.  I illustrate that and provide links to the MS documentation in:
               
               
              Would you mind copying my code for a window.createPopup-based popup to your server and checking whether it might also have problems on XP when used with SSL encryption?  If not, a possibility for pages with a few, similarly structured, informational popups such as yours is to write window.createPopup-based versions, and then use the OLie55 sniffer flag for invoking those versus the overlib-based popups, depending on the browser, in the SSL-encrypted documents.
               
              Fote
              --
               
            Your message has been successfully submitted and would be delivered to recipients shortly.