nonsecure items popup on ie 6.0 since 4.0 upgrade

[frostpaw]

Hello all,

I am having a minor issue where I get a "Security Information - nonsecure items" popup when I access the root page of my Zimbra installation over HTTPS. I get the same popup after I've entered my username and password. Interestingly, this occurs when I use IE 6.0 and does not occur when using FireFox 1.5.0.6. Unfortunately I have to support IE, so this is a problem.

Note that I recently upgraded from 3.1 to 4.0. This problem did not occur with 3.1 and is new behavior since the 4.0 upgrade.

Here is some pertinent information:

OS: Fedora Core 5
Zimbra Version: zcs-4.0.0_GA_303.FC5
My Zimbra installation is configured to be accessed entirely over HTTPS port 443.

I've been looking for days to find a root cause for this problem with no progress. Any ideas?

Thanks for your help,
-Geoffrey

[marcmac]

Did you install the extra zimlets? That may be the problem.

The reason you don't see this on FF is because it's a browser security setting.

[frostpaw]

Good call on the extra zimlets. I did install the 3.1 extra zimlets. I went ahead and removed these by doing:

zmzimletctl undeploy com_zimbra_amzn
zmzimletctl undeploy com_zimbra_wikipedia
zmzimletctl undeploy com_zimbra_ymaps
zmzimletctl undeploy com_zimbra_xslt
zmzimletctl undeploy com_zimbra_tracking

Removed the associated Zimlet files from /opt/zimbra/zimlets

Unfortunately the problem still persists. I am still getting the https nonsecure popup warnings.

Any other ideas?

Thanks for your help,
-Geoffrey

[frostpaw]

One extra note - I did a full server restart following zimlet removal, and I have cleared the cache on my IE browser.

Still I get the same problem
-Geoffrey

[frostpaw]

Okay I've been doing some further analysis of this behavior.

First off, I ran Wireshark on my local machine while accessing my https url to see if any non-ssl http requests are being made by the browser after I select "Y" to get nonsecure items.

No http requests are seen by wireshark during the entire transaction. All requsts occur over https.

So how come IE is reporting this as a request for nonsecure items?

Perhaps it could have something to do with an iFrame having a blank src attribute?
http://gemal.dk/blog/2005/01/27/ifra...rnet_explorer/

The file Ajax_all.js has some code in it to handle this, but is it working properly with IE 6?

Then again, I may be barking up the wrong tree entirely....
-Geoffrey

[Dux T]

All I did was go to IE's
Tools
Internet Options
Custom Level
and set "Display Mixed Content" to "Enable"

[andreychek]

Quote:

Originally Posted by frostpaw

The file Ajax_all.js has some code in it to handle this, but is it working properly with IE 6?

Then again, I may be barking up the wrong tree entirely....

I just wanted to offer that I've been seeing the same behaviour. Users with IE have been getting that error about some links being insecure.

I did a upgrade from 3.0.1 to 4.0, but I've never done anything with Zimlets. Whatever Zimlets are enabled or disabled are at their default.

I had made a few changes in the hopes of fixing this, I'm waiting to hear back from them on whether it actually worked for them (I don't have any Windows computers ;-)

I'm saying something now, before I hear back from them, so that this doesn't get written off by anyone as an isolated incident ;-)

Oh, and yes, the error is easy to fix in the IE settings for one person. I was hoping to not have to offer that as a solution to every IE user who wants to use Zimbra though :-)
-Eric

[rhostager]

For what it is worth... I just upgraded to 4.0. I am having the same problem as mentioned above. No extra zimlets. I get the display secure and nonsecure warning when using IE 6.

- Rob

[dcm]

Me too. I'm seeing this same problem in IE6 and in IE7 RC1 since upgrading to Zimbra 4.0. I also would like a fix that doesn't require everyone using IE to make a settings change, particularly since that change makes the browser less secure.

And it's slightly more than a minor nuisance since it asks every time you log into your account and every time you log out of your account.

I did a little looking and found the following in /opt/zimbra/tomcat/webapps/zimbra/js/zimbra/common/ZLoginTest.html:

.ImgLoginBanner {
width:349px;
height:92px;
background-image:url(http://localhost:7070/zimbra/img/loR...inBanner.gif);
}
.ImgLoginError {
width:32px;
height:32px;
background-image:url(http://localhost:7070/zimbra/img/loR...tical_32.gif);
}

I'm not sure if that page has anything to do with the problem or not. I changed http to https in both places and the problem did not go away.

dcm

[jholder]

Hi-
Just about all of my users use IE, and I don't have the problem, but here's a bug:
http://bugzilla.zimbra.com/show_bug.cgi?id=3912