View Full Version : close() throws security warning

08-26-2002, 11:33 PM

I have a script that is part of a shopping cart application I found on the internet and have been working on. I am running it on a secure server (https). It runs perfectly, except that when it reaches the close() statement shown below, it throws a "You have requested an encrypted page the contains some unencrypted information."

Briefly, the frames are set up like this:

<frame NAME = "TopFrame" SRC="sc2.html" FRAMEBORDER="NO" SCROLLING="NO" >
<FRAMESET Cols="70%,30%">
<frame src="bassoonsc.html" name="code">
<frame src="about:blank" name="cart"></FRAMESET></FRAMESET>

The function that causes the problem:

function CartQuest() {
var totalcost=0;
with (parent.cart.document) {
write("<CENTER><FONT COLOR=993300><FONT SIZE=+2><B>Your Order</B></FONT></FONT></CENTER><HR>");

. . . lots of statements . . .


I have left out the details, but I have isolated the error to the close() statement.



08-26-2002, 11:55 PM
are the pages in the other frames on a https:// server? if they are not secure page that is what could be causing an error.


08-27-2002, 12:02 AM
I have gone through the code very carefully looking for anything that wasn't local. I have not found anything. The javascript code is in the parent window and is writing to a child window on the right on the screen. Everything in that window is dynamically generated with Write statements.

I have tested the code with alert statements and isolated the problem to the close().

08-27-2002, 12:43 AM
You have requested an encrypted page the contains some unencrypted information.

That error sounds like you have absolute paths to images on the page, which don't have "https://" in front of them.

Just an educated guess. :D I'd double check all of your image paths, and make sure you change them if you need to - for example in ASP you could do something like this:

HTTPS = Request.ServerVariables("HTTPS")
If HTTPS = "ON" Then
Path = "https://www.yourwebsite.com/"
Path = ""
End If %>

And for each image on any pages that may be secure:

<img src="<% = Path %>image1.jpg" />

08-27-2002, 01:24 AM
Nope. I went through each and every image and reference made sure the full path was coded.

If that were true the error would appear on loading instead of when close() is executed.

08-27-2002, 01:35 AM
So can you post the URL? Or the relevant code?

08-27-2002, 01:36 AM
I've only encountered that error message in the scenario that scroots & whammy have described.

It's difficult to find the root of the problem, with such a big chunk of code missing. We have to take your word for it instead of combing through the code ourselves (I'm sure your eyes are perfectly capable, but you know how it gets when you've been staring at the same code for too long ;)).

This might be too simplistic, but maybe "about:blank" is considered external to the secure server? :confused:

08-27-2002, 01:57 AM
I think it *may* possible that about:blank is part of the problem or is at least related. I have tried reworking this part of the code and put in a named url but it didn't make any difference.

There is nothing in any of the code that is missing that is causing a problem. I inserted alert statements in the code until I found the problem and it happens at the close() statement. There is something that happens when it is executed that makes both Explorer and Mozilla think that security has been violated.

08-27-2002, 03:58 AM
Here is the url. I have disabled the order button.


08-28-2002, 01:18 AM
Hmm... that is indeed a dilemma - however I notice when I choose "not" to display the non-secure items, that the right frame doesn't seem to load properly (it says "Navigation Cancelled") and then redirects to another page.

Everything else that I looked at appears to be secure (unless I missed something) - so that leads me to believe the problem is with whatever initially loads in your right frame (which appears to be "about:blank") - but I'm just guessing here still, and it mystifies me that you tried another URL and it did the same thing - was the other URL secure?!

I think I'm as baffled as you are - perhaps it's something in the way javascript deals with frames that is throwing the error, that I haven't ever experienced (which is not surprising, since I have never used frames/javascript on a secure site to this point)?


I wish I could help more... I'll run this by some other developers at work and see if they have any idea (but we don't have a need to do too much with javascript there in combination with frames (at least on most of our secure pages), so I don't hold out much hope on that!)

08-28-2002, 01:34 AM
When I was doing some testing, I disabled the initial loading of the right frame (which normally loads automatically when the left frame loads).

Clicking one of the order buttons in the left frame runs functions including the same one that loads the right frame. The error would be triggered at the very end of the function when it got to the close() statement.

I think that there is something about this function that the browser thinks is doing something outside of secure domain. I just don't know how to fix it. I have tried things like window.close() but it really closes everything.

If I take the close() statement out, the error is not triggered but the next time the order button is pressed another instance of the order form is written below the first one.

Thanks for your efforts.

08-28-2002, 01:38 AM
Indeed it does sound like javascript is throwing the error because you're trying to close a window that it thinks is in another domain. Not sure about that - but perhaps one of the javascript gurus here can provide some help (I'm just a javascript hack, although I can get stuff to work most of the time!).