Mixed content and Internet Explorer 8.0


Hi everyone!


My name is Anshu. I am a support engineer in the Internet Explorer Core team at Microsoft. Today in this blog I am going to talk about a change in Internet Explorer 8.0 with respect to a setting related to security zone called “Display mixed content”.


Now to take you back in IE 7 when we go to an HTTPS page that has non-secure HTTP content we get to see a dialog box asking


“This page contains both secure and nonsecure items. Do you want to display the non secure items”


By clicking Yes, I will ask it to display the mixed content.


To Disable/ Enable/ Prompt the “Display Mixed Content”, click on Tools | Internet Options. In the Internet Options dialog, click the “Security” tab. Pick the zone that you want to change the setting for and click the “Custom Level” button. In the Settings area, scroll down to the “Miscellaneous” section and modify the area highlighted in the dialog show below.


clip_image001


..And the dialog which comes in IE 7


clip_image002


The reason for the warning is that you’re on an SSL-secured (https protocol) page that is attempting to load non-SSL (http protocol) content. Something to note is that the dialog does not prompt if you’re on an HTTP page and you request HTTPS URL.


Hypertext Transfer Protocol Secure (HTTPS) is an Application Layer protocol  that is a combination of HTTP and SSL (Secure Socket Layer) or TLS (Transport Layer Security).  HTTPS connections are used for secure transfer of data between the website and the client. Messages are secure since the HTTP message is encrypted via SSL or TLS and then sent on the network/internet. When the message is received by the addressed station, it decrypts the message.


The dialog was changed in IE 8 to encourage users to make the more secure choice by selecting ‘yes’.  Selecting ‘yes’ to the IE 7 dialog resulted in showing both secure and non-secure content.


clip_image004


Note:  Please consider the security implications outlined within the dialog before honoring the dialog request.  The Security dialog is being presented for your information and protection.


We changed the wording of the mixed content (The mixed content refers to HTTP and HTTPS content ) warning dialog to “Do you want to view only the web content that was delivered securely?” The buttons are “Yes/No”.


If you want to display mixed content in IE 8 you should click “No”. The previous versions of IE asked the user “Do you want to display the secure and non secure content?” You click “Yes” If you want to display mixed content.


Well, that’s all for today.  Thank you so much for you time!


Regards,


The IE Support Team

Comments (116)

  1. Anonymous says:

    Hi Brent,

    I have been converting a web app to ssl. Until now it was unsecured and used references to http for shared resources (images, help doc) from a sister domain that we control.

    There is a cert and ssl on both the app server and the sister domain server.

    I can navigate the sister site using either http or https directly without a problem. So the sister site has ssl available but it is not required.

    The web app however requires ssl. All the references from the pages in the web app to the shared resources on the sister domain are https.  

    IE8, however will prompt even though all urls to both domains as I said are https.  I cannot get access without a prompt unless I globally change the option in tools/security/internet etc. It is set to prompt of course.

    Under IE7 and IE6 each with the same option set to "prompt", I am not prompted. The page and all resources load without a problem. IE 7 and 8 seem to recognize that the ssl is available on both domains and open the proper channel where IE8 does not.

    Is this by design? Am I missing something?

    Thank you

  2. Anonymous says:

    I am glad you have this documented but MSFT sure buried the functionality for turning this annoying feature off.  It used to be accessible from the pop up dialog.  It needs to be that now.  The IE help was freaking useless

    thanks

  3. Anonymous says:

    I am using IE7 and on 1 of my computers I enabled mix content and now I don’t get the warning, buton the other computer the warning comes EVERYTIME I change windows inside 1 of the website applications that I use everyday.

    Please email me any thought nikki@myvolo.com

  4. Anonymous says:

    What kind of content will cause this popup to appear.  It seems that href tags won’t, but would a form like this?

    <form name="searchForm"

                                 action="http://help.blah.com/help.cfm&quot;

                                 method="GET"

    target="_blank">

    class="searchButton"

                               onclick="document.searchForm.submit()"/>

                             </form>

  5. Anonymous says:

    Hi! We have a client who wrote that our secure site was insecure. The only reason I can figure for this is the above message that appears in IE8. I do not get a similar warning in Firefox 3 or Safari 4. Viewing the source code of the page I do not see any elements coming from a non-secure source – there are elements with relative URLs but I am assuming that shouldn’t be a problem? So my question is, is there a ways to view which elements IE8 believe are in-secure so that we may correct this? Whether I answer the above message with "Yes" or "No" I do not view and graphic difference with the page.

  6. Anonymous says:

    Thanks a lot for this post …

  7. Anonymous says:

    Hi,

    Am having one expired ssl certification for testing. Just i tried in online i got "Do you want view only…" in IE8. I am using this for my test purpose and i would like to download the content  with out this warning, for this i want  do to ‘off’  this warning.. How can i disable this feature……or  how i can view my content even its ok ……

    I tried with enabling mixed content option in security area….

  8. Anonymous says:

    Interesting post – thanks.

    I have added an https site to my trusted sites list and made the change to settings to display mixed content in the custom level for trusted zone – I still get the error message.

    When I add the display mixed content setting in the internet zone also I loose the error message.

    Any thoughts on why it needs the setting in both zones before it gives the desired result?

    Look forward to your comments.

  9. Anonymous says:

    Is there a way to turn this off for a specific site?  For example, I visit/work on a site many times a day that displays mixed content.  I want to view both the secure and non-secure content but I don’t want this warning popping up EVERY time.  

  10. Anonymous says:

    I tried to do this enable of mixed content for only my "trusted" sites and the prompt does not go away on any of the 3 "Display mixed content" settings. If I go to "internet" rather than trusted sites and enable mixed content displays, the annoying prompt goes away.

    I am running the IE8 that Microsoft downloaded through normal maintenance a couple of days ago. I like the idea behind this but the implementation bug means it has no effect whatsoever. If you want a URL that is innocent and every page gives the mixed content prompt, I can supply it.

    In essence, the URL is always http but puts some well known banner adds on each page which are not secure.  

  11. Anonymous says:

    We are Hosting a HTTPS Site that contains both, https and http Elements. First of all the New Message on IE 8 is a little bit confusing, because the way of Click through has changed from yes to no.

    The thing is that i don’t want to tell all our users to change their IE 8 Settings, but on the other hand i actually don’t want to lose HTTPS Security just to avoid this IE 8 Message.

    My Question: Is there maybee a more reluctant way to give the User this Security Hint? At best without the posibility to crash a Website, by hiding some elements if the User clicks "yes".

    An Example could be the way the Firefox Team handles the same issue. Just showing a Icon with a red exclamation point.

    Best Regards, … and keep on moving.

  12. Anonymous says:

    My company has a Moss site that is published with a Go-Daddy certificate and published through ISA server 2006. We have several webparts that bring up pages from our website so when client and customers hit the site it does not take a long time for the pages to load.

    Note: Our web site is hosted externally but the pages in the webparts are hosted internally on our web server.

    So the check box in IE under advanced tab "Warn if changing between secure and not secure mode"  is unchecked and on the security tab in the custom level under internet Misc "Display Mixed content " is set to enable

    But I still keep getting the security warning. I am using IE 8 and on all of the computer using IE 7 it works but not with IE8.

    Can you help me get rid of this annoying warning everytime I open my browser.

    Thank you,

    Sean Condron

  13. Anonymous says:

    Wow!!  I wish I had never upgraded to Internet Explorer 8!!!!!!  What a mess!!!!!!  Now I am not able to use internet explorer at all.  I was satisfied with my old internet explorer version, but my computer told me that I would need to upgrade.  Yeah, right.  Now I just have a mess!!!!!  I wish I could just go back to Internet Explorer 7.

  14. Anonymous says:

    If you enable "Display Mixed Content" in IE8, what risks might you be opening your system to?

  15. Anonymous says:

    This option, as implemented, might have made sense years ago, but in the present age of hosted applications, especially social networking ones where people include Youtube videos and other such content, it’s very user unfriendly and unproductive. It leaves administrators the choice of turning the option off for all internet sites (because there’s no way to control where a user might link to) or to have users continually hit the "No" option. (And so learn to ignore the warning message even when they see it in other places.)

    A better implementation would be to have it set at the page host level so that the hoster can decide whether the risk, givent the nature of how the site is used, is acceptable or not.

  16. Anonymous says:

    I was not able to prevent this pop up until I added both the http and https version of the site I was accessing to my trusted sites. Now if I trust the site shouldn’t this be disabled??? The site I had issues with was my companies corporate forums. I doubt they werre trying to bypass any security with HTTP and even though I saw no HTTP links this warning not only occurred but caused IE to constantly report "errors on page" which somehow prevented some of the page features such as linking. Once I added both HTTP and HTTPS versions of my site to the trusted sites and changed the default option from prompt to allow it seems to be OK.

  17. Anonymous says:

    NOTE TO DEVELOPERS: I’ve been trying to solve this issue with a new web site of ours and the problem, it turns out, is the CODEBASE of the <OBJECT> tag for the Flash player.  All of our images/scripts/stylesheets/etc. were secured via HTTPS, but the codebase wasn’t so IE8 was giving the security dialog.

    Simply change the codebase from "http://…" to "https://…" and that [one] issue will go away.

    -john

  18. Anonymous says:

    this message is super f&^&^ annoying and going to make me never use explorer, except for netflix, where i have to.

    make explorer secure, so we can’t get viruses, instead of giving us warnings that it doesn’t work. safari and opera don’t have these problems.

    you probably pay the hackers to invent the stuff anyway.

  19. ahmelmahay says:

    Hi I am running Vista Premium and ever since i installed the IE 8 update i cannot load my facebook page. if i type HTTPS i can then load but still have some problems with it. if i use Opera browerer it loads fine. my sister has the new windows 7 (not an upgrade) and she has IE 8 by default and she is having the very same problem as me. does anyone know of a way to resolve this. any help is greatly appreciated…..Joe

  20. Anonymous says:

    Thank You Anshu!  You Help in that annoying message is Greatly Appreciated!  

    John Pferdehirt

  21. Anonymous says:

    This warning box is utterly freaking useless and impossible to solve. I have a page using JS to load a video player. I converting EVERYTHING to https and everything lives under the SSL protected domain.

    Yet, this warning message pops up in IE8 every freaking time.

    Why is junk like this even included in your products? Why do you make it hard to have any fluid interaction with your software Microsoft?

    Just lame with a capital USELESS

  22. Anonymous says:

    Hey,

    I set the option to enabled, I even verified that the option 1609 in HKCU/…/Zones/2 (for trusted sites) is set to DWORD "0"

    but I still get this anoying prompt every time I click on a link on my SharePoint site.

    This problem only occurs on one computer but its working on all other computers with the same site, same operating system, same browser.

    I already re-installed IE 8 on Win7

    Any ideas?

    Greetz,

    Florian

  23. Anonymous says:

    This is worded just as badly:

    "The dialog was changed in IE 8 to encourage users to make the more secure choice by selecting ‘yes’.  Selecting ‘yes’ to the IE 7 dialog resulted in showing both secure and non-secure content."

    Why not admit it?

    "It’s totally the opposite now, and this is going to be really confusing for your users.  Your helpdesk staff better get ready for this, the next few months are going to be a living Hell."

    Congrats, our recommend browser is now Firefox.

  24. Anonymous says:

    Where do I find this setting box?  I have clicked on the "SETTING" tab on GMAIL and get a laundry list of other tabs. I have looked in each tab but haven’t found anything that offers "MIXED" anything.  Oh, and by the way, I am computer illiterate so I need step by step instructions on where to go to find this setting tab and what I need to change.

  25. Anonymous says:

    Thank you so much for taking the time out of your day to help me.

    It works fine now, bless your heart!

  26. Anonymous says:

    Worked a treat, many thanks :o)  Need more people like you!

  27. Anonymous says:

    Thank you so much. Simple to follow instructions (I am computer illiterate) and they worked!! You are a Godsend and I am extremely grateful.

    Thank you.

  28. Anonymous says:

    I tried Anshu’s recommendation (for my original posted question) and multiple options around it. Nothing worked! I finally went back and uninstalled IE 8 and reinstalled IE 7 and I’m getting most of my images displayed now. It ain’t perfect but then it’s another sloppy Microsoft program.

  29. Anonymous says:

    Webpages will not open on my email.  Mixed content is checked.  They used to always open and nothing has changed on my computer.  WHAT GIVES?

  30. Anonymous says:

    I need some advise. I can no longer see the pictures that were part of all the emails I used to get from different vendors. I used to be able to see the pictures of clothing or people. The only thing I see know is writing. What can I do to fix this?

    Evelyn

  31. Anonymous says:

    Thanks for the info but i was already on enable in this option and i still cant get the pictures to show when clicking on the show pictures button.  What now.

    Freddie

    beadsnstuff@gmail.com

  32. Anonymous says:

    Freddie Again

    I was mistaken, it was on prompt and i had switched it before to enable but now when i went to look at it, it was back on prompt.  I tried switching it again to enable, then click "reset" and it takes me back to the top of the page and when i scroll down, it automatically went back to prompt.

    Why

  33. Anonymous says:

    Freddie ONce Again

    Well not being very puter literate, little did i know RESET meant reset back to the original settings thus wipping out my change to enable.  I have switched to enable and didnt dit reset and it now works. thanks

  34. Anonymous says:

    Still not working.  Maybe I am too much of a novice, but the lengthy explanation did not help at all.  I just want to be able to see images in my email again!!!!!  Even when I click to show images—-THEY DON’T SHOW UP!!!

    This is terribly annoying.  Reminds me of ancient email when no images were availble.  Why can’t someone at Gmail help?

  35. Anonymous says:

    Same problem as others have reported.  "Suddenly" unable to display images in emails, even after clicking on "display images." Problem began a couple or weeks ago, and hasn’t "resolved itself." I’m another computer illiterate, so….

  36. Anonymous says:

    I have the same issue with my gmail account. Can’t see images in the emails, even if you click "display images" or "always display images"

    It just started recently for me also. The only thing I can think is there must have been a change in the IE 8 system that was automatically downloaded through a windows update or something. I have not changed anything on my pc, but now I can’t see the images. Its frustrating because some of the emails I need from companies I work with…I can’t read. I hope someone can fix this, or let us know how to change our system to make it right. Enabling mixed content did NOT work.

  37. Anonymous says:

    This was not an answer to my question.  I want to know why I can’t view graphics in my email.  

  38. Anonymous says:

    I’ve experienced the same problem. Am not upgrading to IE8. I cannot see any graphics on gmail. What is up with that? Nobody has given an answer that works for me. Has anyone else found a solution? Maybe I’ll just have to switch from gmail…hate to, but might have to to solve the problem.

  39. Anonymous says:

    Worked for me….let’s see for how long!!

  40. Anonymous says:

    Under "Tools", select "Internet Options", then "Security Settings", select "Custom Level", "Settings", scroll down to "Miscellaneous", to "Display Mixed Content", select "Display"(not "Prompt"!).

    Worked for me like magic!

    (Hard to follow, unclear instructions from the Microsoft support person above… – I had to guess hard what he meant…)

    Good luck!

  41. Anonymous says:

    In the instructions above, I meant: select "Enable" (not "Prompt"):)

    Corrected sentence:

    "Under "Tools", select "Internet Options", then "Security Settings", select "Custom Level", "Settings", scroll down to "Miscellaneous", to "Display Mixed Content", select "Enable" (not "Prompt"!)."

  42. Anonymous says:

    this post had absolutely nothing to do with why my images are not displayed in gmail.

  43. Anonymous says:

    I unable to see images in my gmail….I have to see all my emails on internet rather than seen them on gmail…….even weeekly catalogues for shopping, i unable to seee…..plz help….my email is smart.wellid@gmail.com

    I try

    "Under "Tools", select "Internet Options", then "Security Settings", select "Custom Level", "Settings", scroll down to "Miscellaneous", to "Display Mixed Content", select "Enable" "

    everything, but no difference, today is 6th feb 2010

  44. Anonymous says:

    I wasn’t getting any pictures in my emails, just little squares changing this setting and restarting my computer worked, thank you

  45. Anonymous says:

    Fix doesn’t work ..tried it many times ..IE 8 Win 7 64 bit.

    C’mon Microsoft, get your acts together.

  46. Anonymous says:

    I posted a question at 6 PM EST today regarding issues with message downloads in gmail. I am new at this, but so far I have not seen it posted. But in the mean time I have received an email from "do not reply" suggesting enabling the mixed content in IE Security settings. Unfortunately, this has made no difference. I want to thank the responder, but the issue remains unresolved, and I hope that this comment will appear in the Help Forum content, as well as my original issue posted earlier today. Thanks

  47. Anonymous says:

    I do see my question posted at 5:57 PM. But my comments are appearing in different dialogs from the one with the question

  48. Anonymous says:

    I am a faculty member at a community college and we are having no end of trouble with this "new" feature, because it runs counter-intuitive to what our students have been doing for years. The "mixed content" is coming from our own domain and they don’t read the message carefully enough to realize it is asking if they do NOT want to view it. They are used to being asked if they DO want to view it. It took me 3 attempts to realize what it was actually asking. It should be changed back to what it was before.

    In my opinion this idea was so bad that the developer who thought it was a good idea should lose his job.

  49. Anonymous says:

    I am trying to see all of a web page http://www.abrames.com on the left hand side of the home page there are 5 hypertext headings – I can’t for the life of me get these to appear on one of of PC in the office.  Can you help PLEASE.  I have tried the ‘display mixed content’ enable – nothing.   I don’t even get a prompt asking to display what is not showing.  Thanks for reading

  50. Anonymous says:

    Two questions for those who are mentioning Safari and Opera:

    1. What about Firefox and Chrome?

    2. What does it mean that these browsers don’t have this problem? Isn’t it preferable the way IE handles it — to warn the user that there is non-secure content on a page that is supposed to be 100% secure? I mean, what’s the purpose of having supposedly secure pages at all, if non-secure content can slip past without any warning? I’m sure there’s a good answer, but I’m just confused.

  51. Anonymous says:

    I keep getting the same problem!! This is totally useless! Now I know why everyone is on the other sever, by the time you get done downloading all of the securities and other needed downloads I still am not sure I am secure!! WHO WAS THE IDIOT THAT SET UP THIS NEW AND IMPROVED JUNK!!!

  52. chiphouse2000 says:

    Unfortunately we have a big problem with the way IE8 is interacting with Gmail, which recently rolled out an option to "always use https."  http://gmailblog.blogspot.com/2010/01/default-https-access-for-gmail.html

    Microsoft trained us for years to click on "yes" and now we’re supposed to click on "no." Millions of IE8 and Gmail users will be confounded by this and never see images in their emails again. Certainly unintended consequences…. help please!?

  53. Anonymous says:

    This was very annoying and I’m glad to have found this page. At home I only use firefox, free, secure and easy to use. The reason I don’t use explorer is the ANNOYING useless popups.

  54. Anonymous says:

    When you go on:

    https://blogs.msdn.com/askie/archive/2009/05/14/mixed-content-and-internet-explorer-8-0.aspx

    That must be the same page a this you are looking now !

    This page is not secure 😉

    I understand now General Motor that say in the passt , i will never integrate the Microsoft OS, lot off unsafe 😉

    Thanks for this nice warning that give really right information about reallity 😉 , all images on this page are unsafe content , 😉 really good function that take lot off concept and programming time for nothing other disturb the user about wrong information .

    Thanks.

  55. Anonymous says:

      we have been converted a web app to ssl. Until now it was unsecured and used references to http for shared resources (images, help doc) from CDN(i.e., remoter server).

      web page is not displaying in IE, it seems it unable make http calls.

     help please…

  56. Anonymous says:

    None of what you wrote shows up when I go to >Tools>IN Options>security>  I can’t tell if this computer is IE7 or IE8.  BUt I can not see all of the pics in all of my email on gmail.

  57. Anonymous says:

    Thanks. The change of settings worked. Am able to view images in my email now.

  58. Anonymous says:

    If mixed content is such a problem then all media streaming services should require the end user to positively accept all media, whether ssl encrypted or not and all http and ftp requests should as well.  SSL was and is designed to encrypt content to and from clients and servers with an authenticated handshake.  For the record cached records, via either http(s), java, xml, asp etc… are just as likely to contain content that upon a reload can execute robots or trojans.  I don’t claim to be an expert but this sounds more like trying to kill the horse in order to prevent a possible problem.  It seems to me that if you desire absolute security you should not own a pda, computer, phone or any other device where a programmer can load code.  Good luck with that.  By the by there are several security packages out there that run client level screening on ported web services.

    With the explosion of bandwidth and non technical user interaction with web development and use it would be wise for all distributed traffic to be tunneled through ip security servers, much like the powers that be do today to monitor the net.  What a concept.

    jjek

  59. Anonymous says:

    Maan that is so cool!! I ‘ve been struggling with it for a while now!! thank you so much!!!!

  60. Anonymous says:

    Anshu although it was great that you explain how to turn it off and how you improved the language, still that dialog box is being a nigthmare for all of us developer of internet applications.

    I understnad the pressure Microsoft has to make their products secure, I was a Microsoft employee, but really when iut stats affecting every single provider of applications, you have to realize that you need to change.

    Ideally you should by default have it the warning off and then instruct users ot turn it on.

    in our case, we provide full private label sites to a large number of partners and most have htier moian site using http. Our application is all in HTTPS due to secure nature of health information. So the only way to integrate with thier exisiting site is to use iFrame, which is painfull once it adds scrollbars. It can not deal with automatically scrolling its length to accomodate dynamic pages.

    SO PLEASE PLEASE PLEASE TURN OFF AS DEFAULT THAT ANNOYING MESSAGE!

    Thanks

  61. Anonymous says:

    Hi, I have a lot of sites mix together which build up with asp.net, and for some reason I have to change one site into https(others not). And every time on visiting this https site will give me a prompt on showing insecuring things(elements from other http sites). And most of all, I don’t want to notify users which visit this site to change their IE settings or just let them to click y/n every time, so my question is is there a way or shortcut to avoid showing this message and do not change other http sites to https?

  62. Anonymous says:

    Does Anshu ever respond to these blog postings.

    I have set the internet options to enable mixed content. I still get the irritating pop-up.

    How does one configure IE 8 to stop doing this?

  63. Anonymous says:

    Why do the people who make these products, in this day and age, assume that every person using a computer is an engineer?  I have a Ph.D. in Molecular Biology (so, I will not brook any nonsense from someone who dismisses dissenters as Idiots), and I have used computers extensively – but the operative term is "used".  Not "Fixed", not "written code" etc.  But I cannot, for the life of me, fathom why I have to attend to my computer like it is a bloody electronic pet.  I want it to just lie there unobtrusively, and do my bidding when I need it to.  Yes, it is possible, by and large.  I do not need 10 pop-up balloons to tell me that my USB drive was recognized.  I assume it will be.  And that it will just sit there quietly and be accessible when I need it.  

    In this specific instance, if the warnings do not make sense to me, what kind of a security measure is it if the ultimate decision to enter a site is mine?  Repeatedly clicking on "allow" does not make it any safer – it only shifts the blame from the software makers to the end-user.  If I enter a site into the trusted list (okay, I grant that I need to be involved in some way to protect myself), in my particular case it was my University’s email server, why do I get 10 identical warnings before I can access my email?  

    So, my suggestions to fix this problem – Use Firefox.  Or, as I am getting more and more tempted, switch to Macs (For in that switch what other problems may come, When we have shuffled off this personal computer, Must give us pause: there’s the respect. That makes calamity of our digitial dependence)

    And while we are at it, Vista, some nerdy 20-year old kids school project, absolutely sucks.  And so does the complete revamping of the Office products.  IF someone wants to truly improve these things, here is a tip – talk to your savvy mom or grandmom and ask her about the difficulties she has with the computer (especially if you are not there every weekend to fix the darn thing).

    V.K. Viswanathan

  64. Anonymous says:

    Thank you so much, this fixed my problem!

  65. Anonymous says:

    Hi,

    My Name is K.Prabakaran.

    My Html content is below. its is a dotnetnuke size widget object.

    <object id="SizeWidget" codetype="dotnetnuke/client" codebase="StyleSheetWidget"

                   declare="declare">

                   <param name="baseUrl" value="/snapev2A/Portals/_default/Skins/MinimalExtropy/css/variations/" />

                   <param name="template" value="&lt;div title='{TEXT}’ {ID} {CLASS}&gt;&lt;/div&gt;" />

                   <param name="default" value="width1024" />

                   <param name="Width 1024" value="width1024" />

                   <param name="Width 1280" value="width1280" />

                   <param name="Full Width" value="widthfull" />

               </object>

    When i validate via WCAG told that object tage have element content.

    So i put like this

    <object id="SizeWidget" codetype="dotnetnuke/client" codebase="StyleSheetWidget"

                   declare="declare">

                   <param name="baseUrl" value="/snapev2A/Portals/_default/Skins/MinimalExtropy/css/variations/" />

                   <param name="template" value="&lt;div title='{TEXT}’ {ID} {CLASS}&gt;&lt;/div&gt;" />

                   <param name="default" value="width1024" />

                   <param name="Width 1024" value="width1024" />

                   <param name="Width 1280" value="width1280" />

                   <param name="Full Width" value="widthfull" />

    Loading….

               </object>

    Now check again it passed the WCAG verification. but the image does not show image in IE. But in Firefox it shows the image.

    Can you give me the solution for this..

  66. Anshu_vas says:

    Once again: Mixed Content warning comes when web developer references an insecure (http) resource within a secure (https) page.

    Preventing Mixed Content Warnings (for web developers)

    One trick which might be useful is to use protocol-relative hyperlinks, of the form “//example.com/image.gif”.  

    Additionally, In IE8 and below, the following SCRIPT tag will cause a mixed-content warning:

    <script type="text/javascript" id="contentloadtag" defer="defer" src="javascript:void(0)">

    If you simply remove the SRC attribute from this tag (since it’s not performing a download), you will find the problem goes away.

    You can use fiddler web debugger to troubleshoot the problem. It will show the list of HTTP requests. Eliminate the use of those HTTP URLs.

    For more details on the Mixed content (HTTP and HTTPS) refer the following blog:

    http://blogs.msdn.com/ieinternals/archive/2009/06/22/9797918.aspx

  67. Anonymous says:

    There are some great questions on here, but I don’t see the answers to them, are there answers posted somewhere else?  I too would like to know – If I choose "Enable" the mixed content, what kinds of threats am I opening myself up to?  Also, the IE7 Security Warning message says, "This webage contains content that will not be delivered using a secure HTTPS connection, which could compromise the security of the entire webpage."  That "could compromise the security of the entire webpage" thing makes me nervous.  That makes it sound like the non-secure content would be more than just sitting on top of the secure content but could actually somehow put a "hole" in the secure socket layer and expose my data.  Can you help me understand this?

    Finally, I also want to know the answer to the question about whether you can enable mixed content on only certain pages.  It would be VERY helpful if there were an option to add specific sites like you can in the privacy settings for Popup blocker and in the security settings for "Trusted Sites."  

  68. Anonymous says:

    This problem makes Outlook Web Access unusable, I'm surprised no one else has mentioned that.  I've tried all the "fixes" with no change.  I've delayed upgrading our Exchange server but now I'm looking for a different email solution.  I wonder if Microsoft knows they are losing business over this "feature".

  69. Anonymous says:

    Hi – We have a MOSS Portal and I use FireFox – I only recieved the mixed mode dialog once, but as Nikki mentioned above, several IE8 browsers display it every time, despite changing the config to 'Enable' to 'Prompt'?

  70. Anonymous says:

    Tanks a lot, your advice saved me hours of toying with the settings to remove this annoying warning message.

  71. Anonymous says:

    YES!  This works beautifully!!!!!  Thank you.  Thank you.  

  72. Anonymous says:

    To turn this annoying security prompt off, Go to IE, Tools, Internet Options, Security, Custom Level,scroll down to "Display Mixed Content", and then DISABLE it. Restart IE."Prompt" is the default setting.

  73. Anonymous says:

    Just what I needed, thank you!

    Might be nice in a future update, like someone said, to have a check box on the prompt that says, make this my default…

  74. Anonymous says:

    The PM that decided to do this clearly had the wrong hat on for the day… let's opt for a worst default experience… for a feature that 95% of the world doesn't understand

  75. Anonymous says:

    I have kids that use this computer. I don't want them to get inappropriate images. Does this change work only for my Gmail?

  76. Anonymous says:

    Differently on TOP 10 of Microsoft's STUPID features of providing fails sense of security.

  77. Anonymous says:

    Hi

    Thanks for this information. I have changed in my system but can you say how to resolve this problem to the users who are using my website. Please help me.

    Thanks.

  78. Anonymous says:

    Hi,

    thanks for this post.

    Is there a way to check out the unsecure content url(s) of a supposedly secure https page? IIS log / Internet Explorer tab of the Event Viewer… Anything else?

  79. Anonymous says:

    Thank you so much. Yo fixed my problem The screen was so annoying. I am going to college on line and this was a distraction!

  80. Anonymous says:

    I cant see my photo come up as it should do – can you suggest anything?

  81. Anonymous says:

    As many have noted, the ultimate fix is to just move over to a standards-compliant browser (eg, Firefox, Opera, Safari, etc.). For Marty Goehner, I would suggest Apple. They are the closest thing in the industry to having a "ready when you are" computer that you can get. No, I don't own them or sell them or service them. But I positively drool over the ease at which friends that do own them spend their time thinking about their work instead of sweating the latest upgrade and subsequent changes to the user interface (eg, nerdy error messages about what kind of domain the icon file was loaded from) not to mention the quantum leaps in bloated code to support silly features.

  82. Anonymous says:

    Matthew the Web Developer,

    Your <img> code example could be exploited on a secure page by a man-in-the-middle attack using an exploit that targets the processing of a GIF file at the application or operating system level.  

    This type of vulnerability has already been found and used in exploits in the past, so it is not a purely theoretical threat.

    Serving the page over HTTP would allow anyone in-between the the http://www.mydomain.com web server and the browser client to replace the expected graphic with a graphic containing the exploit code.  

    Using HTTPS would prevent this injection from being possible.

    It's not a security blanket, but it IS one more layer of security on an inherently insecure Internet.

    That being said, I agree that is should be easy for a user to check a box that says "Don't display this warning for this site again" and be done with the annoying box.

  83. Anonymous says:

    I have tried all of the suggestions in order to view images forwarded to me. I changed the mixed content to enable. I click on view images. I tried firefox to see if it was IE causing the problem. Nothing worked! It's really frustrating! This was in my email today and again no image:

    http:///?ui=2&ik=a14d0a18e2&view=att&th=12dce04591d98d3e&attid=0.1.1&disp=emb&zw

  84. Anonymous says:

    Sue, the URL in your example has no domain name specified in the URL (see the three consecutive slashes after 'http:'?), which is why it isn't working.  It isn't a matter of being mixed content, it's a matter of having an incorrect URL.

    http:///?ui=2&ik=a14d0a18e2&view=att&th=12dce04591d98d3e&attid=0.1.1&disp=emb&zw

  85. Anonymous says:

    Very detailed explanation, THANKS MS man and MS for giving for the time or position to provide this service.

    There needs to be a simailr explanation for correcting the GMAIL messages that substitute Boxes with Xs in them instead of images (logos etc.) in email.

  86. Anonymous says:

    Hi,

    Have encountered with problem while displaying the image sent through an email, when it is being opened with mozilla, chrome etc its working fine, where as with internet explorer 7, the image is not displayed as per its regular size, rather the image is dragged. Kindly if someone has a solution to this issue, pls send a mail to cheeku_scorpion@yahoo.com

    Thank u

  87. Anonymous says:

    Thanks so much for posting this. My email, which is also my homepage, has this popup everytime, and I wasn't sure where this setting was.

  88. Anonymous says:

    Anybody know how to create a script that will automatically enabled the Display Mixed Content for all the 3 Security Settings (Internet, Local Intranet, and Trusted Sites)?  Thanks

  89. Anonymous says:

    WOW!!!!! Thank you soooo much!!! This has been driving me absolutely nuts!!! I can FINALLY read my emails!!! You are a LIFESAVER!!! Thanks again!!!

    Thank you thank you thank you so much!!! I cannot thank you enough!!!

  90. Anonymous says:

    happy to see it helped so many people

  91. Anonymous says:

    Any suggestions on how to recognize when IE's buggy behavior on SSL detection is causing this to show up? I launched fiddler and saw that everything on the page is loaded via SSL, but IE still displays the warning. Similarly, all other browsers have no such warning, and debugging tools in firefox and chrome show that all resources are loaded via SSL. Sounds like IE7/8 have a bug present where in some cases it erroneously reports mixed content.

  92. AxelRMSFT says:

    @Harlan

    Do you have the url you are seing this behavior in IE and what is the OS version?

    Ref:

    Internet Explorer 8 Mixed Content Handling

    msdn.microsoft.com/…/ee264315(v=VS.85).aspx

  93. Anonymous says:

    Internet explorer is one the most complicated, frustrating browsers around, it causes so many many problems. Hence why Chrome and Firefox are so popular

  94. Anonymous says:

    Just as a heads up. If your site is in the intranet zone, the intranet zone settings won't actually take effect unless the Internet zone setting is set. Makes no sense, but that's the only way it works.

  95. AxelRMSFT says:

    @Michelle

    Chrome and Firefox popularity is base on users that wants a loosen security approach. Out of the box, Internet Explorer does offer a more secure browsing experience. Also, when you compared browsers, you want to make sure that you are comparing apples to apples and not an old version of IE against the latest FF or Chrome. IE10 is the right choice windows.microsoft.com/…/download-ie

  96. Anonymous says:

    Hi,

    I need your suggestions…

    In my application, a custom HTML page displaying image, the image with size greater than 28kb is visible in IE 9.0 but not in IE8…

    Any fix u got for the issue.

    Thank you.

  97. AxelRMSFT says:

    @ Preethi

    This may not be the best forum to post this question. You may want to try also provide your site url so, we can take a look at when posting :-).

  98. Anonymous says:

    Thank you so much Anshu, very very helpful and easy to understand suggestion  

    (change in Internet Explorer 8.0 with respect to a setting related to security zone called “Display mixed content”. )

  99. Anonymous says:

    I cannot get that pop up message to stop displaying  I have IE 8 and am using  Sharepoint pages – I had  done the disable mixed content for allt he zones  trusted intranet and internet – what could  be is causing this

  100. AxelRMSFT says:

    @ IE*and SharePoint 2010 web page

    You must understand what your SP web pages are doing. A Network Trace or Fiddler may aid in figuring out what the web pages resources are doing / coming from that may trigger the Warning.

    You may want to start by understanding what the setting does:

    Mixed content (HTTP and HTTPS) refer the following blog:

    blogs.msdn.com/…/9797918.aspx

  101. Anonymous says:

    The only work around I have found to the security popup window is to host all your content in a https (SSL) environment with no outside links to anything else unless the content is also in a ssl environment.   I do not have the luxury of making the browser modifications mentioned in this blog so I have been pulling in content from a website into Sharepoint making sure the content resides on an external ssl site and works like a charm…..no popup.    Not sure if this helps but …..solved some of the issues I had…. for what its worth.

  102. Anonymous says:

    This works fine under all users but the ones that cannot select internet options because of group policies how do you change them when they can't access internet options?

  103. Anonymous says:

    Great, got rid of the pesky popup thank you!!!

  104. AxelRMSFT says:

    @  Deb  

    If you are using a GPO, then you have to edit the GPO to manage the setting. Even if you are able to change it from the registry, these setting will come back when the policy is refresh.

    To learn about GPO, you can visit the online GPO reference page: gpsearch.azurewebsites.net/default.aspx

  105. Anonymous says:

    E mails in Internet Explorer 8 were not displaying pictures or graohics, logo's etc

    This Solutition soved the problem for me  (i.e :go to internet options, security, custom level and alter display mixed content to enable.)

    Many thanks to Anshu for this!.

  106. Anonymous says:

    I followed the instructions you gave and the pop up STILL comes up. It is virtually constant. Please advise.

  107. AxelRMSFT says:

    @Jane M

    What is the popup and what version of Windows and IE are you running?

    Are you in a controlled environment?

    If you are still using IE8, we strongly suggest updating to IE11 and if your application are not compatible with IE11 use the IE11 Enterprise Mode GPOs and see if the application works as expected.

    See the IE11 EMIE blog.

    blogs.msdn.com/…/stay-up-to-date-with-enterprise-mode-for-internet-explorer-11.aspx

  108. Anonymous says:

    I have a signalR service running on localhost and javascript from https tries to connect to signalr . Is it possible to disable/enable mixed content programmatically(batch file)?

  109. AxelRMSFT says:

    @Jayant    

    You can turn on or off the mixed content setting for the respective Zone.

    The following article have information about the zone settings including mixed content:

    Internet Explorer security zones registry entries for advanced users

    support.microsoft.com/…/182569

    Look for: 1609     Miscellaneous: Display mixed content *

    GPO: Machine:  gpsearch.azurewebsites.net

             User:        gpsearch.azurewebsites.net

    SoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones

    Available Zones:

    Value    Setting

      ——————————

      0        My Computer

      1        Local Intranet Zone

      2        Trusted sites Zone

      3        Internet Zone

      4        Restricted Sites Zone

    ValueName: 1609

    item: decimal: 0 => Enable

    item: decimal: 3 => Disable

    item: decimal: 1 => Prompt

  110. Anonymous says:

    @AxelRMSFT, I did this setting for my IE10 but no luck.

  111. Anonymous says:

    That was greek talk. Not plain English.

    As to another problem. When I click on an email address link in IE, IE erroneously defaults the email address into the IE navigation then sending webpages flying. How do I prevent IE from using the Navigation, vs actual Email ? Thanks

  112. AxelRMSFT says:

    @Shan    

    Do you know what zone is your site loading under and can you provide the url to the site if happens to be a public site?

    you can open your site and then got to the File / Properties option to find out what zone is your site loading under.

  113. Asim Karim says:

    Thank You Sir My Peoblem Is Solve

  114. Dilip says:

    Hi,

    I am working on a web application which use an ssl security, now my application internal calls some components which are based on http and i am getting warning for only secure content displayed.  I had added the ip of these components to trusted sites list as well and i had marked display mixed content to enable (by changing 1609 value from 0 to 1 for zone 2) also, still i am getting this warning, when i am setting 1609 as 0 for internet setting that is 3rd zone if i am right), then i am not getting this warning, but i want to avoid this warning only for my these trusted ip address. can anyone help me out…i,ll be very thankful to you.. thanks in advance.

  115. John Devlin says:

    I am getting these stupid, obnoxious and objectionable “security warnings” when I want to use Channel 4 On Demand to watch Countdown. Why should that provoke a security warning? It’s just sheer stupidity and has got to stop. Also I keep getting a message saying “Datebase file “datebase\pritemp.dbd” is missing, please reinstall advanced systemcare to fix this error.” This is another example of sheer stupidity that has to be removed permanently from my computer.

    1. AxelRMSFT says:

      @John Devlin
      You are more likely dealing with the plugin clode crossing zone.
      Try adding the application URL to the trusted site zone.