Security Warning: Do you want to view only the webpage content that was delivered securely?
For the Internet Explorer (IE) users out there, I’m sure you’ve come across the dialog shown in the image on the right once or twice in your life. On several of our recent client projects I’ve been involved with, we’ve been doing a lot of changing over from unsecure to secure URLs via Secure Sockets Layer (SSL) certificates in
SharePoint. 


 
Invariably, as soon as you enable SSL and log in to SharePoint, you get this wonderful prompt: "Do you want to view only the webpage content that was delivered securely?”

What?  Of course I don’t.  So what is causing this warning?  Well, there are a couple ways we can find out:

  • First option: Manually, view source (Use Ctrl+f and look for HTTP for anything that’s not standard SharePoint schema). Tedious, right?
  • Second option: Fiddler. Besides being riveting party conversation for friends and family, Fiddler is a very handy tool that can really help in this scenario. 

After deciding on the second option, I downloaded and installed Fiddler. Now, let’s see what HTTP web resources the page is calling.

1) First, we need to enable support of the HTTPS protocol.  In Fiddler, click Tools –> Fiddler Options –> HTTPS tab, and check the boxes for HTTPS.

SNAGHTMLa422c33

2) Now we’re ready.  Have Fiddler up and running, minimize it, and log in to the SharePoint site where you get the prompt.

3) Go back to Fiddler, and let’s check out the results.

image

OK, we're good so far, all HTTPS.  You can sort on the protocol column as well to help you. Hey, wait a minute...

image

Aha!  So there are obviously some jQuery calls where the developers are calling the .js files from the public CDN instead of downloading locally into /_layouts.  That’s fine, but in this scenario, it’s causing the mixed prompts. 

4) Now you can politely go ask your developers to either point to the HTTPS versions of the web version CDNs, or download the version-specific .js files to the SharePoint server and update the code to call them locally.  If it was you running jQuery on a page and not via a solution, you can take care of this yourself.  You can find more on calling jQuery via CDN here.  At a minimum, you should just be able to change the CDN URL to HTTPS from HTTP.  The culprit might not be code, but loading an image from the Internet for example.  Whatever the case, just make sure whatever you calling is being delivered securely.

5) Log in to SharePoint, and feel the joy of no mixed content prompts.  High fives all around.

If you happen to have users using non-IE browsers, they won’t see the mixed prompt, but being mixed mode might affect functionality, branding, etc.  In Firefox for example, it shows a different icon depending if it’s all secure or not:

Mixed mode image

 

 

 

 All secureimage

 

 

 

 

 

 

If you would like more information on C5 Insight or this blog content, fill out our Contact form.