So today I had a client call and ask why their site had errors. They had a secure certificate, and IE was giving a popup:
"This page contains both secure and non-secure items. Do you want to download the non-secure items?"
So, I pull up the page, and check the source, figuring there's some
<img src="http://..." somewhere in there. A ctrl-f later, I see there are no non-secure images. The only things not using https are links to other sites, and some crap in the
code ghetto that is the markup needed for a flash movie. Specifically, I saw:
|
| <OBJECT classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" |
| codebase="http://download.macromedia.com/pub/[blah]" |
| WIDTH="88" HEIGHT="31" id="PoweredBy_88_31_A" |
| ALIGN="" VIEWASTEXT> |
| |
| [40 lines of garbage] |
| |
| <EMBED SRC="[flash file]" |
| swLiveConnect=FALSE WIDTH=228 HEIGHT=287 |
| QUALITY=AUTOLOW MENU=false PLAY=true |
| BGCOLOR=#FFFFFF TYPE="application/x-shockwave-flash" |
| PLUGINSPAGE="http://www.macromedia.com/[blah]"> |
| </EMBED> |
So, on
Nathan's suggestion, I tried changing this boilerplate mess to make the
pluginspace and
codebase attributes point to https. That made IE stop throwing the error. I'm not sure why it was downloading things from those URLs (as the error message clearly stated), but now its happy, and my client's clients are no longer scared to use the site.
But the fun doesn't end there. I took a stress break and ran across a blog entry by Jason about his ActiveX update woes. Apparently to avoid paying licensing fees, Microsoft is changing how IE loads plugins (including flash), and unless developers (developers, developers, developers!) change how they render Flash, the users will be presented with a "Click here to activate this" dialog instead of just showing the flash.
Apparently you have to "activate" a plugin before it will run. More information can be found here: Internet Explorer Eolas changes and the Flash plugin.
Like any good security measure, this can be instantly circumvented from the server (attacker) side. Apparently if you set it up with javascript, then it doesn't need to be activated. I guess there's no such thing as malicious javascript. Microsoft has their workaround: activating ActiveX controls, and the author of the helpful article above has a widely used Flash rendering javascript library that works too, called FlashObject. He's written a few books on flash, and his library looks pretty nice, both hiding the <OBJECT> mess and gracefully degrading to plain HTML if the flash plugin is absent.
Thanks Microsoft, thanks to your change (and Jason's post) I've discovered some nice open source library to remove a slurry of meaningless markup, but I would really prefer not to have to do your legal work.