IE7 - HTTPS IFRAME 内的元刷新导致混合内容警告
我有一个 ASP.NET 应用程序,它通过使用带有刷新标头(或页面中的元刷新标记)的隐藏 IFRAME 来实现保持活动状态。
对于许多(但不是全部)Internet Explorer 实例(到目前为止已在 IE7 和 IE8 beta 上重现 - 但不是每个人!),如果您在两个都包含此保持活动 IFRAME 的安全页面之间移动,您会得到类似于以下序列的内容events:
0s: load page1.html - includes keepalive.html, schedules a refresh at 15s
5s: click the page2 link
load page2.html - includes keepalive.html, schedules a refresh at 20s
15s: refresh of frame on page1 happens; mixed content error box displayed
此时浏览器中会显示错误“此页面包含安全内容和非安全内容”。
page1.html:
<html><head><title>Page 1</title></head><body>
<h1>This is Page 1</h1>
<p><a href="page2.html">Go to Page 2</a></p>
<iframe src="keepalive.html" width="500" height="200" />
</body></html>
第 2 页是相同的,但显示为第 2 页,并链接到第 1 页。
keepalive.html:
<html><head>
<meta http-equiv="refresh" content="15" />
</head><body>
<h2>This is the keep alive</h2>
</body></html>
在我测试过的所有浏览器中,我已确保互联网区域有权进行元刷新,并设置为在显示混合内容时进行提示。 我已阅读所有建议您需要在 IFRAME 上有 src="" 标记的页面,否则 IE 会认为它不安全 - 根据设计,它必须有 src 标记,即保持活动页面的标记。
如果您永远坐在第 1 页,则 IFRAME 会刷新得很好。 该错误仅在您更改为第 2 页后第一次出现。
我正在寻找一种以最小的更改来解决此问题的方法:更好的保持活动方法是使用 控制& 自动刷新图像,我将在未来的版本中进行研究。 我想到的一个可能的解决方法是让 IFRAME 的内容成为服务器的常规 XMLHttpRequest,而不是元刷新。 更简单的错误修复会更好。
更新:我已将 Grant Wagner 的答案标记为正确,因为它引导我找到实际问题:Lenovo Password Manager 插件 CpwmIEBrowserHelper 导致此错误。 这巧妙地解释了为什么有些人会看到这个问题,而其他人则不会——我询问的大多数人都拥有 ThinkPad。 禁用扩展可以解决刷新问题。
由于我们无法让每个可能使用该应用程序的人都解决此问题,因此我们将使用 JavaScript 计时器并刷新窗口位置,将 keepalive.html 页面更新为如下所示:
<html><head>
<meta http-equiv="pragma" content="no-cache">
</head><body>
<h2>This is the keep alive</h2>
<script type="text/javascript">
setTimeout ('ReloadPage()', 15000 );
function ReloadPage() {
window.location = window.location;
}
</script>
</body></html>
I have an ASP.NET application that implements keep-alive by using a hidden IFRAME with a refresh header (or meta refresh tag in the page).
For many - but not all - instances of Internet Explorer (reproduced so far on IE7 and IE8 beta - but not for everyone!) if you move between two secure pages that both contain this keep-alive IFRAME, you get something like this sequence of events:
0s: load page1.html - includes keepalive.html, schedules a refresh at 15s
5s: click the page2 link
load page2.html - includes keepalive.html, schedules a refresh at 20s
15s: refresh of frame on page1 happens; mixed content error box displayed
At this point the error "This page contains both secure and non-secure content" is displayed in the browser.
page1.html:
<html><head><title>Page 1</title></head><body>
<h1>This is Page 1</h1>
<p><a href="page2.html">Go to Page 2</a></p>
<iframe src="keepalive.html" width="500" height="200" />
</body></html>
Page 2 is the same but says Page 2, and links to Page 1, instead.
keepalive.html:
<html><head>
<meta http-equiv="refresh" content="15" />
</head><body>
<h2>This is the keep alive</h2>
</body></html>
In all the browsers I have tested this in I have ensured that the internet zone has permission to do a meta refresh and is set to prompt when displaying mixed content. I have read all the pages suggesting that you need to have a src="" tag on your IFRAME or IE will consider it insecure - by design it has to have a src tag, which is that of the keep-alive page.
If you sit on Page 1 forever, the IFRAME refreshes fine. The error only shows up the first time after you change to Page 2.
I am looking for a way to fix this with minimal change: a better method for keep-alive would be to use a control & automatically-refreshing images, which I will investigate for future versions. A possible workaround I have in mind is having contents of the IFRAME be a regular XMLHttpRequest to the server, instead of a meta refresh. A simpler bugfix would be even better.
Update: I have marked Grant Wagner's answer as correct because it lead me to the actual problem: the Lenovo Password Manager add-on, CpwmIEBrowserHelper, causes this error. This neatly explains why some people see this problem and not others - most of the people I asked have ThinkPads. Disabling the extension makes the refresh problem go away.
As we can't cause everyone who might use the application to fix this problem, we are going to go with a javascript timer and refreshing the window location, updating the keepalive.html page to look like this:
<html><head>
<meta http-equiv="pragma" content="no-cache">
</head><body>
<h2>This is the keep alive</h2>
<script type="text/javascript">
setTimeout ('ReloadPage()', 15000 );
function ReloadPage() {
window.location = window.location;
}
</script>
</body></html>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我在 IE 6、7 和 8(发行版)中尝试了您的测试页,但无法重现该问题。
需要检查的一些事项:
https。 另外,使keepalive.html的查询字符串对于页面 1 和 2 是唯一的,以便您可以验证哪个请求导致出现消息框。坦率地说,我担心问题的本质。 您的意思是,访问第 1 页设置了一个计时器来刷新 iframe,然后您导航离开该页面,刷新仍然会在指定时间发生,即使您已经导航离开包含 iframe 的页面,该页面包含元刷新。 离开第 1 页应该会在初始 iframe 刷新时停止计时器。 这就是为什么我认为您应该使用 Fiddler(和唯一的
keepalive.html查询字符串)来验证是否是来自第 1 页上的 iframe 的请求导致了问题。I tried your test page in IE 6, 7 and 8 (release) and could not reproduce the problem.
Some things to check:
https. Also, make the query string tokeepalive.htmlunique for pages 1 and 2 so you can verify which request is causing the message box to appear.Frankly I'm concerned about the nature of the problem. You're saying that visiting page 1 sets a timer to refresh the iframe, then you navigate away from that page, and the refresh still occurs at the designated time, even though you've navigated away from the page containing the iframe which contains the META REFRESH. Navigating away from page 1 should stop the timer on the initial iframe refresh. That's why I think you should use Fiddler (and a unique
keepalive.htmlquery string) to verify it is the request from the iframe on page 1 causing the problem.尝试使用以 https 开头的完整 URL 设置 iframe,我过去遇到过这个问题,我认为这就是解决方案。
Try setting the iframe with the full URL starting with https, I've ran accross this in the past, I think this was the solution.