Bug Tracker

Opened 8 years ago

Closed 7 years ago

Last modified 7 years ago

#11600 closed bug (patchwelcome)

.load() causes security warning in IE7/8 when loading only a fragment from target page

Reported by: simon.ouellet@… Owned by: jaubourg
Priority: low Milestone: 1.8
Component: ajax Version: 1.7.2
Keywords: Cc:
Blocked by: Blocking:

Description

Hi, this description is from the closed ticket #8927, but as I have exactly the same issue, I felt that I could just copy/paste it here... Contrarily to the other developer though, I have a working example in production: http://www.agep.ulaval.ca

The calendar on the homepage loads a fragment from another page to get the current month's events. If I remove the load call, the mixed content warning isn't displayed anymore.

This affects only IE7 and IE8. Other browsers tested such as FF 4, Chrome 12 (dev), IE9 (on Windows 7) were unaffected.

According to the other ticket, if there are two pages, Foo.html and Bar.html, both on the same domain and both using https, the .load() function operates correctly and without any mixed content warning if loading the entirety of Bar into Foo. However, if a fragment of the target page is being loaded, a mixed security warning is generated.

URls for reference:

https://www.mydomain.com/staging/Foo.html

https://www.mydomain.com/production/Bar.html

Example (in Foo.html) $('#content').load(' https://www.mydomain.com/production/Bar.html');

However, if loading a fragment from Bar.html, IE7 and IE8 throw the mixed security warning.

Example (in Foo.html) $('#content').load(' https://www.mydomain.com/staging/Bar.html #fragmentToLoad');

Change History (9)

comment:1 Changed 8 years ago by Rick Waldron

Component: unfiledajax
Owner: set to jaubourg
Priority: undecidedlow
Status: newassigned

@jaubourg can you confirm this?

comment:2 Changed 8 years ago by Rick Waldron

Milestone: None1.8

comment:3 Changed 8 years ago by dmethvin

I think I've seen this years ago, it's probably due to the detached jQuery("<div /">) that only comes into play if you provide a selector. However I can't find a related ticket.

The detached div is seen as insecure, even though the document.createElement() that we use is from a secure document. I *think* I was able to circumvent the message by attaching the div to the document before inserting the content, but I cannot recommend that as a solution here because it would cause a reflow.

comment:4 Changed 8 years ago by anonymous

So, what should I do to fix this?

comment:5 Changed 8 years ago by dmethvin

The simplest workaround would be to use a standard .load() to load all content into the document, then remove whatever content you did not need.

comment:6 in reply to:  5 Changed 8 years ago by jaubourg

Replying to dmethvin:

The simplest workaround would be to use a standard .load() to load all content into the document, then remove whatever content you did not need.

Except all embedded scripts would be executed then, right?

comment:7 Changed 8 years ago by dmethvin

If there are scripts, yes. The only other solution I could think of involves appending the holding div to the body but that would cause reflows and it doesn't seem worth it for a rare case. Any other possibilities?

comment:8 Changed 7 years ago by dmethvin

Resolution: patchwelcome
Status: assignedclosed

This is probably best done as an app-level workaround, but if anyone has good ideas about how to fix it in a general way please get in touch with us.

comment:9 Changed 7 years ago by dmethvin

#11928 is a duplicate of this ticket.

Note: See TracTickets for help on using tickets.