GWT 应用程序生成 IE 不安全项目警告
我们的服务通过 HTTPS 运行,目前正在尝试在其中运行已编译的 GWT 应用程序,仅在客户端,无 RPC:s。
它包含在 IFRAME 中,似乎是推荐的(例如:http://developerlife. com/tutorials/?p=231 标题下的 HTTPS 和 HTTP)。
在 GWT 应用程序中执行某些操作时,IE 会生成不安全项目警告。
http://bagonca.com/insecure_item.png
你可能会问自己为什么我不使用一些漂亮的 Firefox 插件,用于查看可能通过 http 发送的请求。或者出于同样的原因,为什么我不在 Internet Explorer 中使用 HTTPWatch。我有。我在任何地方都找不到不安全的请求。
另一方面,我读到的是,Internet Explorer 对于没有设置 src 属性的 iframe 会抛出此警告。一个潜在的修复方法是对动态填充的任何 iframe 使用 src="javascript:false" 。
正如我所说,整个应用程序通过 IFRAME 包含在内,并且 GWT 本身会在其中生成一个隐藏的 IFRAME,如下所示。
<iframe tabIndex="-1" id="gwt-app" src="javascript:''" style="border-bottom: medium none; position: absolute; border-left: medium none; width: 0px; height: 0px; border-top: medium none; border-right: medium none;">
我尝试将上面的 src 属性硬编码为实际存在的空白页面,并在同一域上使用 HTTPS 调用。我已经尝试过 javascript:false;方法。运气不好。该应用程序运行起来就像一个魅力,但 IE 会抛出无用且错误的警告。
当我在应用程序中执行某些操作时(而不是加载应用程序时)会出现警告。实际上,在 http://code.google.com/p/gwt 中拖放约会时-calendar/ 组件。
以前有人遇到过类似的问题吗?有什么线索吗?
Our service runs over HTTPS and we're currently experimenting with running a compiled GWT-application within it, only client side, no RPC:s.
It is included within an IFRAME, which seems to be recommended (here for example: http://developerlife.com/tutorials/?p=231 under the heading HTTPS and HTTP).
When doing certain operations within the GWT-app, IE it generates an insecure item warning.
http://bagonca.com/insecure_item.png
You may ask yourself why I don't use some nifty Firefox plugin to see what request might be over http. Or why I don't use HTTPWatch in Internet Explorer for the same reason. I have. There are no insecure requests that I can find, anywhere.
What I have read about on the other hand is that Internet Explorer throws this warning for iframes without the src attribute set. And that a potential fix is using src="javascript:false" for any iframe that is populated dynamically.
As I've said, the whole app is included via an IFRAME, and within it GWT itself generates a hidden IFRAME that looks like below.
<iframe tabIndex="-1" id="gwt-app" src="javascript:''" style="border-bottom: medium none; position: absolute; border-left: medium none; width: 0px; height: 0px; border-top: medium none; border-right: medium none;">
I've tried hard coding the src attribute above to a blank page that actually exists and is called with HTTPS on the same domain. I've tried the javascript:false; approach. No luck. The app works like a charm, but IE throws the useless, and false warning.
The warning turns up when I do certain actions within the app, not when it is loaded. Actually when dragging and dropping appointments within the http://code.google.com/p/gwt-calendar/ component.
Has anyone tangled with a similar issue before? Any clues?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
还有其他 Javascript 片段也可能导致问题。请参阅:
http://blog.httpwatch.com/2009/09/17/even-more-problems-with-the-ie-8-mixed-content-warning/
另外,看看一堆评论:
http://blog.httpwatch.com/2009/04/23/fixing-the-ie-8-warning-do-you-want-to -view-only-the-webpage-content-that-was-delivered-securely/
一些评论者也发现并修复了警告的其他原因。
There other snippets of Javascript that can also cause a problem. Please see:
http://blog.httpwatch.com/2009/09/17/even-more-problems-with-the-ie-8-mixed-content-warning/
Also, have a look through the pile of comments on:
http://blog.httpwatch.com/2009/04/23/fixing-the-ie-8-warning-do-you-want-to-view-only-the-webpage-content-that-was-delivered-securely/
Some of the commenters have found and fixed other causes of the warning too.
我不确定这种情况,但大约一年前我用 iframe 做了一些实验(关于一个有点类似的主题)。我假设 gwt-calendar 尝试通过 javascipt 的
parent引用与主机页进行通信。 AFAIR,当主机页面不是从同一来源(包括协议)加载时,这是不允许的。I'm not sure in this case, but I did some experiments with iframes (on a somewhat similar topic) about a year ago. I would assume, that gwt-calendar tries to communicate with the host page via javascipt's
parentreference. AFAIR, that's not allowed, when the host page isn't loaded from the same origin (including protocol).如果您的应用通过 HTTPS 运行并通过普通的 HTTP 获取图像或某些其他资源,则可能会发生这种情况。检查是否有硬编码为 http:// 的图像或 css 路径。
例如,如果您的应用程序在
https://example.com上运行,并且您希望加载图像foo.jpg,则您应该使用的 html 是:或(理想情况下)
而不是
请注意,第三个示例通过 http 而不是 https 获取 foo.jpg 图像。因此,它会导致您面临的问题。
为了避免此类问题,最佳做法是使用 ImageResources和相对 URL。
This can happen if you have your app running over HTTPS and are fetching images or some other resource over over plain HTTP. Check if you have image or css paths hardcoded to http://.
For example, if your app if running at
https://example.comand you wish to load an imagefoo.jpg, the html you should be using is:or (ideally)
and not
Note that the third example fetches the foo.jpg image over http instead of https. Hence it would cause the issue which you are facing.
To avoid such problems, the best practice is either to use ImageResources and relative URLs.