IE warning message box "this page contains both secure and nonsecure items" when applying "Simple" theme on a SharePoint site protected with HTTPS

This incident happened the other day… One of my SharePoint Admin support team counterpart here, asked me a question regarding a strange happening in SharePoint (or should I term it “puzzle” instead of “question”?). Well, the way he sounded, I felt like he is going to ask a question similar to what my 6th grade teacher did (which was so difficult that I failedL). Lucky, it was about something broken in MOSS 2007 (again the Gods stood by my side).

Well, this was what he showed me… This dude had a MOSS site that was unnecessarily protected with SSL (I asked him why – answer was he has set it up for scenario testing) and when he tries applying “Simple” theme – BOOM!

Warning: This page contains both secure and nonsecure items

IE didn’t seem to like it too much and showed us its dislike as shown above in a message box. Well, he turned to me with a “glowy” look in his eyes (glowy – you know that kind of look when you think you have achieved something really big and you are very, I mean really very proud of it). But actually, he wanted help in figuring out why the heck IE complaints about this particular theme, while the others are fine. And I, as the more than willing to help dude I am, went ahead in finding out why this is the case.

Themes are groups of CSS & script files located at: <InstallDir>:\Program Files\Common Files\Microsoft Shared\web server extensions\12\TEMPLATE\THEMES. I opened the “SIMPLE” folder that defines the simple theme for MOSS. Opened the theme.css file inside it and did a simple file compare against another theme.css file of another theme definition. That moment was like uncovering a “hidden relic” when I figured the following:

.ms-topnavselected {
border:solid 1px #bfbfbf;
border-left:solid 1px #fff;

.ms-topNavHover {
background-position:bottom left;
border:solid 1px #ebebeb;
border-left:solid 1px #fff;
border-top:solid 1px #fff;

Well, I would say a simple hard-coding, but a costly one J (if I can also add that). I removed those hard-coding and asked him to apply simple theme again on the SSL protected site and IE liked what I didJ. “There you go, you have a resolution” – I told to that fella. That guy frowns at me as if I have said something that’s totally banned!! Yes, kind of – I mean, modifying out of the box files isn’t a supported scenario (as I always do, here you go: 898631, I know it’s a bit boring to see this KB referred to again and again, but I kid not – you will know its importance after you did something like that and create a support ticket with MS supportJ). “So we are stuck now?” – He asked. “Who said so? I think we can have a hack for this scenario” – was my response. I gave him the logic and showed him how to get this fixed still not getting customer into an unsupported scenario. See the below:

1. Navigate to the THEMES folder.

2. Create a copy of the SIMPLE folder to a different location and name it SIMPLE.

3. Open SIMPLE folder that you have copied to a new location.

4. Edit SIMPLE.INF file following the steps below:

a. At the info section, verify the title is SIMPLE.

b. Change codepage to something like 10000.

5. Open the theme.css file in this folder.

6. Search for http://localhost/ and remove them from the two places show above.

7. Go back to the THEMES folder and rename the existing SIMPLE folder to something like SIMPLEBAD<BAD: Broken As Designed> J.

8. Copy the new SIMPLE folder where you have modified the theme.css files onto the location: <InstallDir>:\Program Files\Common Files\Microsoft Shared\web server extensions\12\TEMPLATE\THEMES.

9. Do an IISRESET because “they” say so and that’s it!

Well, the customer was really happy with the resolution we provided for this support incident. He just felt this could perhaps been prevented by a little care J

Watch out for more interesting “support incident encounters”.

    Comments (12)

    1. You might see the following message when you try applying &quot;Simple&quot; theme on a Microsoft Office

    2. RM says:

      Oh man, this had me running Fiddler, and reading every line of source code… I should have realized it was when I applied the simple theme 🙁

      is this fixed in WSS 3.0 SP1?

      I don’t see this in the list of fixes…

    3. sridhara says:

      hi RM,

      unfortunately, no! An easy way to work-around this would be to backup your current theme.css and remove the "http://localhost&quot; section from the file.

      However, what I’ve mentioned in this post is a more appropriate way to work-around this issue.



    4. Martin says:

      Thanks a ton for this info. 🙂

    5. Johannes says:


      i’m getting this error only on site-settings-pages. I’m searching to fix this for a long time – with no luck.

      I fixed the http-Links in the theme.css, did an iisreset – but its still there.

      If i have a look a the quellcode of the loaded site with this warning, theres no stuff that is unsecure.

      Are there any other suggestions?

      – Johannes

    6. Griff says:


      Thanks for this solution. I would add two further things for people, like me, who are new to share point

      1) To clarify step 6 :


      should be changed to


      2) It seems that on our MOSS2007 that the theme is cached.  So if like me you still get the error after the above, change the theme back to CLASSIC (or whichever), then change back to SIMPLE again.  Shimples!

      Thanks again!


    7. Frans van den Hurk says:

      Thanks a lot, you saved me hours of desperate searching for the cause of that warning box.

    8. Ivan says:

      Thank so much. In IE 8 I tried to enable mixed mode, but unsuccessful. Developer decision is the better way. Thank again!

    9. martin says:

      thanks a bunch, tip for changing theme to something else and back to simple was the missing link for me 🙂

    10. Waqas Arshed says:

      I was stuck at finding the non-secure item on one particular site, while all others were working fine. My first guess was any customization and reference to non secure content by site modification team but they confirmed otherwise. Finally I came across Fiddler which pointed me to http://localhost/topnavselected_simple.gif and a quick search on this lead me here. Thanks a lot for the quick fix, it worked for me. Had to re-apply the Simple theme after replacing the CSS.

    11. Aaron F. says:

      How is this not fixed yet after two service packs?! I’m deploying a MOSS 2007 w/ SP2 environment, and ran into this bug. Like "RM", I was going nuts: running Fiddler, inspecting the ASPX and JS files… I finally just removed "all" the content from the site, including the Top Link bar, and suddenly the error went away! Once I had a culprit, I looked through the CSS and found the localhost references…

      At any rate, thank you for addressing the problem, and providing detailed info on the fix.

    12. Josh says:

      How does this not count as modifying out of the box? Surely you should be creating a seperate theme for the fixed version in case the Simlpe theme does ever get corrected by MS?