+ Start a Discussion
flewellsflewells 

Security warnings & information alerts in IE

Hi there,

 

I have a new data entry VF page (and Apex Class).  When accessing the page in Internet Explorer, I had been receiving a Security Warning (The current Web page is trying to open a site in your Trusted sites list.  Do you want to allow this?).  I added https://c.<servername>.visualforce.com to my Trusted sites, which gets rid of the Security Warning, but now I get a Security Information alert (This page contains both secure and nonsecure items.  Do you want to display the nonsecure items?).

 

Is there another setting in IE that will suppress this Security Information alert, or do we need to modify the Apex Class/VF page?  Most of my users primarily use IE, so while I know Firefox handles this differently, I can't easily transition them all to Firefox and I don't want them to see this message every time they use the page in IE.

 

Any ideas?  Your replies are greatly appreciated!

 

Kristin

Message Edited by flewells on 11-09-2009 08:40 AM
Best Answer chosen by Admin (Salesforce Developers) 
Richie DRichie D

Hi,

 

Your best bet is to find the items that are causing the security problem in the first place. Anything that has a http:// not the https:// will be the offenders. Remember -the security warnings are there for a reason. It shows the user that not all items are managed under the https security protocol and data submitted by them will be sent in plain text.

 

If you need images, script or other items you could think about adding them to a static resource so they are then inside the https domain.

 

R. 

 

 

All Answers

flewellsflewells

After a little more searching, I see one option is to disable mixed content within IE ( Internet Options - Security - Internet - Custom Level - Miscellaneous - Display Mixed Content = ENABLE).

 

While this solves the immediate problem, we're not keen on disabling for all sites.

 

Will be interested in hearing best practices for addressing this within the Visualforce page.

Richie DRichie D

Hi,

 

Your best bet is to find the items that are causing the security problem in the first place. Anything that has a http:// not the https:// will be the offenders. Remember -the security warnings are there for a reason. It shows the user that not all items are managed under the https security protocol and data submitted by them will be sent in plain text.

 

If you need images, script or other items you could think about adding them to a static resource so they are then inside the https domain.

 

R. 

 

 

This was selected as the best answer
flewellsflewells

Thanks for leading me in the right direction, Richard.  I think I've found the problem.  While we are using static resources within the page, I see that one of our static resources includes http:// references (for stylesheet).

ClaiborneClaiborne

Another tip -

 

If you have an image stored as a static resource, this tag

 

<apex:image url="{!URLFOR($Resource.Cloud2MailLogo)}" />

 

generates an IE security warning (Firefox does not seem to care).

 

But this tag works fine.

 

<apex:image url="{!$Resource.Cloud2MailLogo}" />

 

Apparently the URLFOR function generates an http:// link, not an https:// link.