Second Life of a Hungarian SharePoint Geek

March 26, 2010

ScriptLink control causes issues when accessing a SharePoint 2010 site through HTTPS

Filed under: Bugs, SP 2010 — Tags: , — Peter Holpar @ 15:26

Recently I found an annoying issue with a SharePoint 2010 site being published over HTTPS. Each time a page is requested from the browser I’ve got the following Security Information in IE7:

This page contains both secure and nonsecure items.

Do you want to display the nonsecure items?

image

In IE8 it is a bit different. It is called Security Warning and seems like this:

image

Do you want to view only the webpage content that was delivered securely?

This webpage contains content that will not be delivered using a secure HTTPS connection, which could compromise the security of the entire webpage.”

Although Yes is the default button on each dialog, it has just the opposite result in these cases. In IE7 Yes means allowing nonsecure items, in IE8 it means allowing only secure content.

The page is displayed only after clicking Yes or No, but in our case pressing Yes or No seems to have no effect at all. At least, at the first sight.

This is issue is rather common when the web site designers included a resource on the page that is served through a non-secure protocol, like HTTP. Typical resources are images, CSS or JavaScript files and even IFRAME or traditional HTML frame sources.

It is usually easy to configure by enabling “Display mixed content” for the security zone the specific server is or adding the server to a zone for which this option is enabled.

image

The bad news is that in our case this setting has no effect.

After some investigation I’ve found that the source of the issue is the ScriptLink control that is included in the out-of-the-box masterpages, like v4.master and nightandday.master.

I suspect the exact reason for the issue is the following line of the code:

<script src="ignore://blank" type="text/javascript"></script>

In this case the the protocol ignore sounds a bit strange. It might be not handled by Internet Explorer as a secure one.

Checking the source of the ScriptLink class it turns out that the value "ignore://blank" comes from the private constant IgnorePath of the class, but I really don’t know yet what it is good for.

After removing the ScriptLink from the source of the master page the warning is not displayed anymore, but it is obviously not a real solution for the problem.

Advertisements

3 Comments »

  1. […] SharePoint Blog Post From SharePoint Security – Google Blog Search: By pholpar. Recently I found an annoying issue with a SharePoint 2010 site being published over […]

    Pingback by ARB Security Solutions » ScriptLink control causes issues when accessing a SharePoint 2010 … — March 29, 2010 @ 14:59

  2. Thanks for the tip. I was wondering about this and couldn’t find any http:// in the source. My guess, this’ll be fixed for RTM.

    Comment by Matt C. — March 31, 2010 @ 16:50

  3. Not finding this to be a problem in our environment with SP1 and Oct 2011 CU.

    Comment by Paul Ewert — February 29, 2012 @ 19:26


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: