Registration

Dear SAP Community Member,
In order to fully benefit from what the SAP Community has to offer, please register at:
http://scn.sap.com
Thank you,
The SAP Community team.
Skip to end of metadata
Go to start of metadata


The following popup warning is seen in the browser: "Security Information:This page contains both secure and nonsecure items." While running a BSP application, this warning message is displayed, which is very annoying. It can be caused by a few reasons. This warning only comes when the application is running in HTTPS mode, and not in HTTP.

HTTP Url?

The simplest and most obvious problem is that an URL is hard-coded to use HTTP. Once the application is switched to HTTPS mode, the URL for a specific resource is still fetched via HTTP. Here a simple program to show such an example.

  <%@extension name="htmlb" prefix="htmlb"%>
  <htmlb:content design="design2003">
    <htmlb:page>
      <htmlb:form>
        <htmlb:textView text = "Hello World!" />
        <htmlb:image src = "http://myHost.domain.ext/sap/.../s_B_OKAY.gif" />
      </htmlb:form>
    </htmlb:page>
  </htmlb:content>

Notice the hard coded URL that includes a HTTP specifier. As long as the application is run within HTTP mode, this is no problem. However, once switched into HTTPS mode, we have here one URL that will reference a resource in HTTP mode, causing the above warning.


The situation can easily be seen when using a HTTP proxy tool. Just observe which URLs are in HTTP mode. Important: Even if the image that is required is already available locally in the browser cache, the fact that it is addressed via a HTTP mode will case the warning message to be displayed!

Using <iframe>?

Another variation of the same problem is the use of <iframe> tags to external sites, where usually server absolute URLs are required.

  <%@extension name="htmlb" prefix="htmlb"%>
  <htmlb:content design="design2003">
    <htmlb:page>
      <htmlb:form>
        <htmlb:textView text = "Hello World!" />
        <iframe src="http://www.sap.com"></iframe>
      </htmlb:form>
    </htmlb:page>
  </htmlb:content>

Here again, even although the <iframe> is self contained HTML document, it is still accessed via a HTTP mode within the context of HTTPS. This will also cause the warning message to be displayed. This situation can also be quickly seen with a HTTP proxy trace, and also be examining the HTML source of the previous page or two loaded just before the warning message.

Variations of the <iframe> Usage

An alternative use of an <iframe> is to place the HTML on the page with a pseudo about:blank URL, with the intension to fill/load the <iframe> later using JavaScript. Also in this case, this pseudo URL will cause the warning message in HTTPS mode.

  <iframe id="myIframe" src="'''about:blank'''"></iframe>

A alternative variation of the same programming style is not to set the src attribute, or to set the src attribute as empty, again with the intention to load the <iframe> later using JavaScript code. Also, in this case the warning messages will be displayed!

  <iframe id="myIframe1"></iframe>
  <iframe id="myIframe2" src=""></iframe>

Recommendation: In cases such as these, the simplest trick is to just load an dummy URL using the JavaScript: protocol. With this approach, the warning message is NOT displayed. It is recommend to change at all times <iframe> code with pseudo empty URLs to this format (or to load an empty page from the server as place holder into the frame). An code example:

  <iframe id="myIframe" src="JavaScript:void(0);"></iframe>

Using DESIGN2003?

The PHTMLB library also uses an <iframe> in a few complex situation. The <iframe> is dynamically created, attached into the browser DOM, and then the src attribute is set. Because of the sequence that these steps are completed, this also causes effectively for a short moment an <iframe> been placed into the DOM that does not have the src attribute set correctly. Specifically in this scenario, the popup warning would often occur not at the moment that the page is loaded, but only when a button is pressed that would trigger a popup, either from the dataNavigator or a popup menu. See SAP Note 843226 - Domain Relaxation, Popup JS File, Nonsecure Warning for correction instructions, which describe how to patch a few lines of code in one the JavaScript files used with the PHTMLB library. This error is in 620SP52-55, 640SP13-14 and in 700SP2.

IE Browser Hotfix

There exists also a Microsoft Security Updates 832894 or specifically the hotfix 821814 can sporadically cause a HTTP return code 500 (Page not Found) errors. The other error that we have found with this bug is exactly the non-secure warning. After following the recommended workaround of configuring the keep-alive time of the server to be above 60 seconds, up from the default 30 seconds (icm/server_port_< x > = ... TIMEOUT=90,...), the problem goes away. We have at the moment no explaination for the association between this error condition and this workaround. We would in all cases recommend to update timeout value to 90 seconds, as this is not a severe change, and does help to workaround these non-reproducable errors in some cases. Reference SAP Note 900804 - HTTP 500 error in HTTPS post requests for details.

2 Comments

  1. Former Member

    Hi Brian

    The article was very informative and elaborate.

    Is there a way by which we can avoid the pop up message that are caused by Hard coded URLs?

     Regards,

    Subhasis

  2. As far as I remember there are browser settings (each and every desktop) that control this popup. You will have to read IE documentation on this.