Opened 13 years ago

Closed 12 years ago

#1787 closed defect (fixed)

Security Warning when using iconSrc with SSL on MenuItem2 0.4 (IE6 SP2 - IE7)

Reported by: martin@… Owned by: bill
Priority: high Milestone: 0.9beta
Component: Dijit Version: 0.4
Keywords: Cc:
Blocked By: Blocking:

Description

The problem appears when we add an iconSrc on a MenuItem2 and when we're using SSL (https)

Exemple :

var oColContextMenu = dojo.widget.createWidget( "PopupMenu2", { id: "m1", targetNodeIds: aIds, contextMenuForWindow: false });
oColContextMenu.addChild(dojo.widget.createWidget( "MenuItem2", { id: "menu-item1", iconSrc : '/images/icons/general/a.gif', caption: "Tri croissant", onClick : dojo.lang.hitch(this, this.SortAsc)} ));
oBigContainer.appendChild(oColContextMenu.domNode);

Security Warning occured at the second line.

if I delete iconSrc : '/images/icons/general/a.gif' all works perfectly without any SSL warning

All worked perfectly on 0.3

No problem on FF2 and Opera9

Problem with : IE6SP2 and IE7

Attachments (1)

test_Menu2IEhttps.html (1.8 KB) - added by guest 13 years ago.
IE6SP2 test cases that currently cause mixed content security popups (1,3 happen on first menu display, 2 happens on menu creation)

Download all attachments as: .zip

Change History (9)

comment:1 Changed 13 years ago by guest

The only difference I can see between 0.3 and 0.4 is that in 0.3 iconSrc was assigned via dom (.style.backgroundImage=this.iconSrc) vs. in 0.4 where it is part of the html template (style="${this.iconStyle}")...

My menu is created dynamically, so I can seem to resolve the iconSrc issue itself (IE6Sp2) by forcing the iconSrc to be absolute (https://...):

...createWidget...
iconSrc: new dojo.uri.Uri(location.href, 'images/check.gif').toString(), // absolutize image src
...

Using this method (or excluding the iconSrc completely) prevents any popups on page load, but I still get two mixed content security popups when the menu is first shown...

Changed 13 years ago by guest

Attachment: test_Menu2IEhttps.html added

IE6SP2 test cases that currently cause mixed content security popups (1,3 happen on first menu display, 2 happens on menu creation)

comment:2 Changed 13 years ago by bill

Resolution: invalid
Status: newclosed

Hmm, iconSrc is supposed to be a string, either a relative or absolute path, but not a full url with http:// or https:// in it. something like "../foo.gif" or maybe "/foo/bar.png". So I don't think this is valid.

comment:3 Changed 13 years ago by bill

But see #2043.

comment:4 Changed 13 years ago by guest

Resolution: invalid
Status: closedreopened

iconSrc is supposed to be a string, either a relative or absolute path, but not a full url with http:// or https:// in it. something like "../foo.gif" or maybe "/foo/bar.png". ...

Why/where is iconSrc defined as such? URN's (/foo or ../foo) _always_ cause the initial security popup using the previously attached test with IE6SP2.

The only way to avoid the popup (other than omitting iconSrc completely) is to use the https:// full URI format. Presumeably this is because there's no chance for IE to mistake it as a non-SSL resource.

From the code itself, iconSrc is simply mapped to the CSS functional notation "url({iconSrc})", both in 0.3 and 0.4, and CSS url()'s can be relative, absolute, or completely standalone URIs. see http://www.w3.org/TR/REC-CSS2/syndata.html#uri

I think this may be a quirk in IE6SP2/7 over https, however if Dojo 0.4+ Menu2's are going to consistently cause these security popups, then unfortunately I think Dojo needs code around it in the interest of usability.

Otherwise, we should at least publish a list of SSL-compatible dojo widgets.

comment:5 Changed 13 years ago by dylan

Milestone: 0.9

comment:6 Changed 12 years ago by bill

Component: WidgetsDijit

comment:7 Changed 12 years ago by guest

I'm using 0.4.1 and am seeing this on Toolbar Buttons that are parsed from anchor elements (hyperlinks) and have dojo:icon specified. If I parse it from a span element (or something without an href attribute) then it's not a problem.

<a dojo:type="ToolbarButton" 
   dojo:id="zIn" 
   dojo:icon="img/16x/zoom_in.png">Zoom In</a>

comment:8 Changed 12 years ago by bill

Milestone: 0.90.9beta
Resolution: fixed
Status: reopenedclosed

This is "fixed" in the sense that we no longer have an iconSrc attribute, but rather an iconClass attribute.

Note: See TracTickets for help on using tickets.