Mixed Content Bug in dojo/src/storage/Browser.js

[[email protected]…]

Hey now. I'm a fairly green newbie here and I am getting a "This page contains both secure and nonsecure items" security warning from my webapp in IE.

I am using the latest "kitchen sink" toolkit release 0.2.2. If I remove the inclusion of dojo.js the problem goes away. I found a similar issue about this (http://dojotoolkit.org/pipermail/dojo-checkins/2006-February/004104.html) but by making the suggested change in dojo.js, my problem did not go away.

It looks like the culprit is at line 79 in dojo/src/storage/browser.js which links to a macromedia shockwave site.

This line:

storeParts.push(' codebase="​http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,0,0"');

will cause a Mixed-Content error in IE if the you are running on a secure server (https). By modifying the line to:

storeParts.push(' codebase="​https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,0,0"');

..the problem goes away.

Just by including dojo.js (0.2.2 Kitchen Sink version) a bare bones HTML file and placing it on a secure server, you should see the error reproduced in IE.

-Sol

[[email protected]…]

A possible fix... I emailed this to the interest list but since there is a ticket I'll post it here as well. I dont see why you could fix this problem by checking the window.location.href

writeStorage: function(){

var swfloc = dojo.uri.dojoUri("src/storage/Storage.swf").toString(); alert(swfloc); var storeParts = [

'<div id="dojo-storeContainer"',

'style="position: absolute; left: -300px; top: -300px;">'];

if(window.location.href.substr(4,1))==":"){ if position 4 is not : then we know its not http, assume https

urlPrefix = "​http://";

}else{

urlPrefix = "​https://";

} if(dojo.render.html.ie){

storeParts.push('<object'); storeParts.push(' style="border: 1px solid black;"'); storeParts.push(' classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"');

storeParts.push(' codebase="'+urlPrefix+'download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,0,0"'); storeParts.push(' width="215" height="138" id="dojoStorage">'); storeParts.push(' <param name="movie" value="'+swfloc+'">'); storeParts.push(' <param name="quality" value="high">'); storeParts.push('</object>');

}else{

storeParts.push('<embed src="'+swfloc+'" width="215" height="138" '); storeParts.push(' quality="high" '); storeParts.push(' pluginspage="'+urlPrefix+'www.macromedia.com/go/getflashplayer" '); storeParts.push(' type="application/x-shockwave-flash" '); storeParts.push(' name="dojoStorage">'); storeParts.push('</embed>');

} storeParts.push('</div>'); document.write(storeParts.join(""));

}

});

[[email protected]…]

Suggestion from Sam Foster:

Why not be explicit about what you are matching for:

var protocol = "http"; var regexp = new RegExp?("^{https:", "i"); if( regexp.test(window.location.href) ) {}

protocol = "https";

}

That's some pretty good hunting though Sol, glad you got to the bottom of it.

Sam

[Brad Neuberg]

We should see if this still happens with the latest storage refactoring; it looks like the fix is to use the same scheme when loading the SWF files as the parent page has (i.e. use http or https or even ​file:// if the parent page is using this). I'll try to hit this before the 0.3 release

[sjmiles]

Brad didn't make it for 0.3 ... moving to 0.3.1

[anonymous]

I don't have a testing environment setup with a secure server to fix this bug and make sure it's fixed; does someone have such an environment? I also don't have the bandwidth right now to hit it; pushing to 0.4.

[dylan]

(In [6221]) fixes #550, dojo.flash not working in an https environment

[dylan]

(In [6224]) references #550, dojo.flash not working in an https environment... a better version of this patch

[dylan]

(In [6225]) references #550, forgot the colon

[(none)]

Milestone 0.4 deleted