The following popup warning is seen in the browser: "Security Information:This page contains both secure and nonsecure items." While running a BSP application, this warning message is displayed, which is very annoying. It can be caused by a few reasons. This warning only comes when the application is running in HTTPS mode, and not in HTTP.
The simplest and most obvious problem is that an URL is hard-coded to use HTTP. Once the application is switched to HTTPS mode, the URL for a specific resource is still fetched via HTTP. Here a simple program to show such an example.
Notice the hard coded URL that includes a HTTP specifier. As long as the application is run within HTTP mode, this is no problem. However, once switched into HTTPS mode, we have here one URL that will reference a resource in HTTP mode, causing the above warning.
The situation can easily be seen when using a HTTP proxy tool. Just observe which URLs are in HTTP mode. Important: Even if the image that is required is already available locally in the browser cache, the fact that it is addressed via a HTTP mode will case the warning message to be displayed!
Another variation of the same problem is the use of
<iframe> tags to external sites, where usually server absolute URLs are required.
Here again, even although the <iframe> is self contained HTML document, it is still accessed via a HTTP mode within the context of HTTPS. This will also cause the warning message to be displayed. This situation can also be quickly seen with a HTTP proxy trace, and also be examining the HTML source of the previous page or two loaded just before the warning message.
Variations of the <iframe> Usage
An alternative use of an
<iframe> is to place the HTML on the page with a pseudo
about:blank URL, with the intension to fill/load the
A alternative variation of the same programming style is not to set the
src attribute, or to set the
src attribute as empty, again with the intention to load the
Recommendation: In cases such as these, the simplest trick is to just load an dummy URL using the
<iframe> code with pseudo empty URLs to this format (or to load an empty page from the server as place holder into the frame). An code example:
The PHTMLB library also uses an
<iframe> in a few complex situation. The
<iframe> is dynamically created, attached into the browser DOM, and then the src attribute is set. Because of the sequence that these steps are completed, this also causes effectively for a short moment an
<iframe> been placed into the DOM that does not have the
640SP13-14 and in
IE Browser Hotfix
There exists also a Microsoft Security Updates 832894 or specifically the hotfix 821814 can sporadically cause a HTTP return code 500 (Page not Found) errors. The other error that we have found with this bug is exactly the non-secure warning. After following the recommended workaround of configuring the keep-alive time of the server to be above 60 seconds, up from the default 30 seconds (
icm/server_port_< x > = ... TIMEOUT=90,...), the problem goes away. We have at the moment no explaination for the association between this error condition and this workaround. We would in all cases recommend to update timeout value to 90 seconds, as this is not a severe change, and does help to workaround these non-reproducable errors in some cases. Reference SAP Note 900804 - HTTP 500 error in HTTPS post requests for details.