Skip to main content

Bug Tracker

Side navigation

#11600 closed bug (patchwelcome)

Opened April 18, 2012 02:04PM UTC

Closed June 11, 2012 11:01PM UTC

Last modified June 23, 2012 01:41PM UTC

.load() causes security warning in IE7/8 when loading only a fragment from target page

Reported by: simon.ouellet@dti.ulaval.ca Owned by: jaubourg
Priority: low Milestone: 1.8
Component: ajax Version: 1.7.2
Keywords: Cc:
Blocked by: Blocking:
Description

Hi, this description is from the closed ticket #8927, but as I have exactly the same issue, I felt that I could just copy/paste it here... Contrarily to the other developer though, I have a working example in production:

http://www.agep.ulaval.ca

The calendar on the homepage loads a fragment from another page to get the current month's events. If I remove the load call, the mixed content warning isn't displayed anymore.

This affects only IE7 and IE8. Other browsers tested such as FF 4, Chrome 12 (dev), IE9 (on Windows 7) were unaffected.

According to the other ticket, if there are two pages, Foo.html and Bar.html, both on the same domain and both using https, the .load() function operates correctly and without any mixed content warning if loading the entirety of Bar into Foo.

However, if a fragment of the target page is being loaded, a mixed security warning is generated.

URls for reference:

https://www.mydomain.com/staging/Foo.html

https://www.mydomain.com/production/Bar.html

Example (in Foo.html) $('#content').load(' https://www.mydomain.com/production/Bar.html');

However, if loading a fragment from Bar.html, IE7 and IE8 throw the mixed security warning.

Example (in Foo.html) $('#content').load(' https://www.mydomain.com/staging/Bar.html #fragmentToLoad');

Attachments (0)
Change History (9)

Changed April 23, 2012 04:59PM UTC by rwaldron comment:1

component: unfiledajax
owner: → jaubourg
priority: undecidedlow
status: newassigned

@jaubourg can you confirm this?

Changed April 23, 2012 04:59PM UTC by rwaldron comment:2

milestone: None1.8

Changed April 23, 2012 05:13PM UTC by dmethvin comment:3

I think I've seen this years ago, it's probably due to the detached jQuery("<div /">) that only comes into play if you provide a selector. However I can't find a related ticket.

The detached div is seen as insecure, even though the document.createElement() that we use is from a secure document. I *think* I was able to circumvent the message by attaching the div to the document before inserting the content, but I cannot recommend that as a solution here because it would cause a reflow.

Changed April 27, 2012 07:25PM UTC by anonymous comment:4

So, what should I do to fix this?

Changed April 28, 2012 03:16PM UTC by dmethvin comment:5

The simplest workaround would be to use a standard .load() to load all content into the document, then remove whatever content you did not need.

Changed April 28, 2012 03:19PM UTC by jaubourg comment:6

Replying to [comment:5 dmethvin]:

The simplest workaround would be to use a standard .load() to load all content into the document, then remove whatever content you did not need.

Except all embedded scripts would be executed then, right?

Changed April 28, 2012 03:33PM UTC by dmethvin comment:7

If there are scripts, yes. The only other solution I could think of involves appending the holding div to the body but that would cause reflows and it doesn't seem worth it for a rare case. Any other possibilities?

Changed June 11, 2012 11:01PM UTC by dmethvin comment:8

resolution: → patchwelcome
status: assignedclosed

This is probably best done as an app-level workaround, but if anyone has good ideas about how to fix it in a general way please get in touch with us.

Changed June 23, 2012 01:41PM UTC by dmethvin comment:9

#11928 is a duplicate of this ticket.