Opened 14 years ago
Closed 14 years ago
#1787 closed defect (fixed)
Security Warning when using iconSrc with SSL on MenuItem2 0.4 (IE6 SP2 - IE7)
Reported by: | Owned by: | bill | |
---|---|---|---|
Priority: | high | Milestone: | 0.9beta |
Component: | Dijit | Version: | 0.4 |
Keywords: | Cc: | ||
Blocked By: | Blocking: |
Description
The problem appears when we add an iconSrc on a MenuItem2 and when we're using SSL (https)
Exemple :
var oColContextMenu = dojo.widget.createWidget( "PopupMenu2", { id: "m1", targetNodeIds: aIds, contextMenuForWindow: false }); oColContextMenu.addChild(dojo.widget.createWidget( "MenuItem2", { id: "menu-item1", iconSrc : '/images/icons/general/a.gif', caption: "Tri croissant", onClick : dojo.lang.hitch(this, this.SortAsc)} )); oBigContainer.appendChild(oColContextMenu.domNode);
Security Warning occured at the second line.
if I delete iconSrc : '/images/icons/general/a.gif' all works perfectly without any SSL warning
All worked perfectly on 0.3
No problem on FF2 and Opera9
Problem with : IE6SP2 and IE7
Attachments (1)
Change History (9)
comment:1 Changed 14 years ago by
Changed 14 years ago by
Attachment: | test_Menu2IEhttps.html added |
---|
IE6SP2 test cases that currently cause mixed content security popups (1,3 happen on first menu display, 2 happens on menu creation)
comment:2 Changed 14 years ago by
Resolution: | → invalid |
---|---|
Status: | new → closed |
comment:4 Changed 14 years ago by
Resolution: | invalid |
---|---|
Status: | closed → reopened |
iconSrc is supposed to be a string, either a relative or absolute path, but not a full url with http:// or https:// in it. something like "../foo.gif" or maybe "/foo/bar.png". ...
Why/where is iconSrc defined as such? URN's (/foo or ../foo) _always_ cause the initial security popup using the previously attached test with IE6SP2.
The only way to avoid the popup (other than omitting iconSrc completely) is to use the https:// full URI format. Presumeably this is because there's no chance for IE to mistake it as a non-SSL resource.
From the code itself, iconSrc is simply mapped to the CSS functional notation "url({iconSrc})", both in 0.3 and 0.4, and CSS url()'s can be relative, absolute, or completely standalone URIs. see http://www.w3.org/TR/REC-CSS2/syndata.html#uri
I think this may be a quirk in IE6SP2/7 over https, however if Dojo 0.4+ Menu2's are going to consistently cause these security popups, then unfortunately I think Dojo needs code around it in the interest of usability.
Otherwise, we should at least publish a list of SSL-compatible dojo widgets.
comment:5 Changed 14 years ago by
Milestone: | → 0.9 |
---|
comment:6 Changed 14 years ago by
Component: | Widgets → Dijit |
---|
comment:7 Changed 14 years ago by
I'm using 0.4.1 and am seeing this on Toolbar Buttons that are parsed from anchor elements (hyperlinks) and have dojo:icon specified. If I parse it from a span element (or something without an href attribute) then it's not a problem.
<a dojo:type="ToolbarButton" dojo:id="zIn" dojo:icon="img/16x/zoom_in.png">Zoom In</a>
comment:8 Changed 14 years ago by
Milestone: | 0.9 → 0.9beta |
---|---|
Resolution: | → fixed |
Status: | reopened → closed |
This is "fixed" in the sense that we no longer have an iconSrc attribute, but rather an iconClass attribute.
The only difference I can see between 0.3 and 0.4 is that in 0.3 iconSrc was assigned via dom (.style.backgroundImage=this.iconSrc) vs. in 0.4 where it is part of the html template (style="${this.iconStyle}")...
My menu is created dynamically, so I can seem to resolve the iconSrc issue itself (IE6Sp2) by forcing the iconSrc to be absolute (https://...):
Using this method (or excluding the iconSrc completely) prevents any popups on page load, but I still get two mixed content security popups when the menu is first shown...