“This page contains both secure and nonsecure items.”

With one of my larger webapps I have recently been struggling with the following Security Information message in Internet Explorer:

This page contains both secure and nonsecure items.

Do you want to display the nonsecure items?

This, in general, has to do with mixing of content from different security zones in IE, for example Internet and Local, or http and https.

I’ve had my go at Google and there are indeed loads of sites where this, and solutions to it has been brought up, but none of these applied to my application.
To sum it up, most solutions consists of checking the following

  • That all URL’s are either consistent (http or https, not a mix) or relative URL’s
  • That all iframes or frames written in markup has a src set
  • That all iframes or frames created with javascript and added to the DOM has a src set prior to adding
  • That all resources resolve and do not generate a 404, (the 404 page is considered local zone)

After checking all of these off, my application was still throwing the same error, and something I had read a long time a go bubbled up.
IE will treat all images that has a relative src set through the DOM as an insecure element!
Therefor my solution was to create a resourceBase variable that I use to prefix all the previously relative paths with.
The simplest way to do this is by:

var resourceBase=window.location.protocol + "//" + window.location.host +"/resources/";

Following is a quick example of a function converting a relative path to an absolute one:

function relativeToAbsolute(_urlToResolve){
if (_urlToResolve.substring(0, 1) == "/") {
_urlToResolve = _urlToResolve.substring(1);
var _documentURI = document.location.href.substring(window.location.protocol.length + 2, document.location.href.lastIndexOf("/"));
var _lastIndexOf = null;
while (_urlToResolve.substring(0, 2) == "..") {
_urlToResolve = _urlToResolve.substring(3);
if ((_lastIndexOf = _documentURI.lastIndexOf("/")) != -1) {
_documentURI = _documentURI.substring(0, _lastIndexOf);
return window.location.protocol + "//" + _documentURI + "/" + _urlToResolve;

Tags: ,

This entry was posted on Monday, May 26th, 2008 at 15:51 and is filed under programming, Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.