Side navigation
#11600 closed bug (patchwelcome)
Opened April 18, 2012 02:04PM UTC
Closed June 11, 2012 11:01PM UTC
Last modified June 23, 2012 01:41PM UTC
.load() causes security warning in IE7/8 when loading only a fragment from target page
Reported by: | simon.ouellet@dti.ulaval.ca | Owned by: | jaubourg |
---|---|---|---|
Priority: | low | Milestone: | 1.8 |
Component: | ajax | Version: | 1.7.2 |
Keywords: | Cc: | ||
Blocked by: | Blocking: |
Description
Hi, this description is from the closed ticket #8927, but as I have exactly the same issue, I felt that I could just copy/paste it here... Contrarily to the other developer though, I have a working example in production:
The calendar on the homepage loads a fragment from another page to get the current month's events. If I remove the load call, the mixed content warning isn't displayed anymore.
This affects only IE7 and IE8. Other browsers tested such as FF 4, Chrome 12 (dev), IE9 (on Windows 7) were unaffected.
According to the other ticket, if there are two pages, Foo.html and Bar.html, both on the same domain and both using https, the .load() function operates correctly and without any mixed content warning if loading the entirety of Bar into Foo.
However, if a fragment of the target page is being loaded, a mixed security warning is generated.
URls for reference:
https://www.mydomain.com/staging/Foo.html
https://www.mydomain.com/production/Bar.html
Example (in Foo.html) $('#content').load(' https://www.mydomain.com/production/Bar.html');
However, if loading a fragment from Bar.html, IE7 and IE8 throw the mixed security warning.
Example (in Foo.html) $('#content').load(' https://www.mydomain.com/staging/Bar.html #fragmentToLoad');
Attachments (0)
Change History (9)
Changed April 23, 2012 04:59PM UTC by comment:1
component: | unfiled → ajax |
---|---|
owner: | → jaubourg |
priority: | undecided → low |
status: | new → assigned |
Changed April 23, 2012 04:59PM UTC by comment:2
milestone: | None → 1.8 |
---|
Changed April 23, 2012 05:13PM UTC by comment:3
I think I've seen this years ago, it's probably due to the detached jQuery("<div /">)
that only comes into play if you provide a selector. However I can't find a related ticket.
The detached div
is seen as insecure, even though the document.createElement()
that we use is from a secure document. I *think* I was able to circumvent the message by attaching the div
to the document before inserting the content, but I cannot recommend that as a solution here because it would cause a reflow.
Changed April 27, 2012 07:25PM UTC by comment:4
So, what should I do to fix this?
Changed April 28, 2012 03:16PM UTC by comment:5
The simplest workaround would be to use a standard .load()
to load all content into the document, then remove whatever content you did not need.
Changed April 28, 2012 03:19PM UTC by comment:6
Replying to [comment:5 dmethvin]:
The simplest workaround would be to use a standard .load()
to load all content into the document, then remove whatever content you did not need.
Except all embedded scripts would be executed then, right?
Changed April 28, 2012 03:33PM UTC by comment:7
If there are scripts, yes. The only other solution I could think of involves appending the holding div to the body but that would cause reflows and it doesn't seem worth it for a rare case. Any other possibilities?
Changed June 11, 2012 11:01PM UTC by comment:8
resolution: | → patchwelcome |
---|---|
status: | assigned → closed |
This is probably best done as an app-level workaround, but if anyone has good ideas about how to fix it in a general way please get in touch with us.
@jaubourg can you confirm this?