Opened 11 years ago

Closed 11 years ago

#8373 closed defect (invalid)

Secure & unsecure message in IE

Reported by: lahiri Owned by: anonymous
Priority: high Milestone: tbd
Component: General Version: 1.1.1
Keywords: dojo Cc: alex, psowden
Blocked By: Blocking:

Description

This page contains bothe Secure and Non secure items"message in IE. When I commented the following piece of code from dojo.js.uncompressed.js file, the message is gone.

        if(dojo.isIE){
                if(!dojo.config.afterOnLoad){
                        document.write('<scr'+'ipt defer src="//:" '
                                + 'onreadystatechange="if(this.readyState==\'complete\'){' + dojo._scopeName + '._loadInit();}">'
                                + '</scr'+'ipt>'
                        );
                }

Attachments (2)

dojo.js.uncompressed.rar (105.1 KB) - added by lahiri 11 years ago.
Error_request_2.JPG (26.2 KB) - added by lahiri 11 years ago.
Error Screen shot

Download all attachments as: .zip

Change History (19)

Changed 11 years ago by lahiri

Attachment: dojo.js.uncompressed.rar added

comment:1 Changed 11 years ago by James Burke

I am surprised this makes a difference: there have been reports of the secure/unsecure message in IE, but I believe it is has been a result of specific modules doing something to cause the error. From what I can recall, there were some things with some uses of some dijits that caused the issue?

If you remove all dojo.require calls and load dojo.js by itself, I believe that works on https connection, so I do not think this change makes a difference: it probably causes a side effect where maybe one of the dojo.required modules does not load perhaps?

But if you can confirm, loading plain dojo.js with the above line activated, I would expect that to work.

comment:2 Changed 11 years ago by Adam Peller

There have been other changes regarding javascript: urls too, I believe. Have you tried testing with the latest version of Dojo or at least 1.2.3?

comment:3 Changed 11 years ago by bill

FYI the dijit issues IIRC were all about specifying a dummy URL for an <iframe> or <img>. Doing:

  • not defining a src/href
  • using javascript:void(0)
  • using blank

etc. all caused intermittent problems so we ended up with referencing a blank.html or blank.gif file.

But I think that's unrelated to this problem.

comment:4 Changed 11 years ago by Adam Peller

FWIW, this is the changeset. It's old. Does anyone know what the ":" is all about?

comment:5 Changed 11 years ago by Adam Peller

Cc: alex psowden added

comment:6 Changed 11 years ago by Adam Peller

it would help if I added the changeset. [6650]

comment:7 Changed 11 years ago by Jared Jurkiewicz

And I wonder if its even needed? src= is optional on script. So could that be completely removed and the behavior kept the same?

comment:8 Changed 11 years ago by Jared Jurkiewicz

comment:9 Changed 11 years ago by Adam Peller

also #3195

comment:10 Changed 11 years ago by Adam Peller

and [5327] from #1028 where it all started. The src used to be a javascript:void(0) which I think we found also caused security warnings in IE when used elsewhere (dijit?)

comment:11 Changed 11 years ago by James Burke

Just talked to peller offline: here is my understanding: the ":" was seen as https-safe, and we needed a defered script to simulate the "DOMContentLoaded" event for IE.

AFAIK, this has been working fine for a while, it would be good to confirm with the original reporter that loading only dojo.js (not dojo.requiring anything else, and not having any other dojo modules in dojo.js than the standard Dojo base) works OK in their https situation. Or if one of use can repro on an https URL with plain Dojo Base, that would be a cause to re-evaluate.

comment:12 Changed 11 years ago by Jared Jurkiewicz

I don't think the noted code is the problem. By commenting it out, all that effectively does is disable dojo from finishing initialization. So, if dojo doesn't init, no widgets get parsed and little gets instantiated.

I set up an SSL environment using IHS an dojo 1.1.1 and I do not hit any secure/insecure errors from IE when it loads various dijit tests.

I even loaded things like themeTester, which loads just about every dijit in existance and then some, and uses them in various ways. No secure/insecure errors.

So ... this currently leads me to think the user may have custom widgets or are using a widget incorrectly to cause that problem to occur. We need more narrowing information from the user, such as what widgets do they use, if they have any custom widgets, and if they can provide a simplified testcase.

I re-iterate here that as far as I can determine, the noted line is not the problem. Commenting it out simply disables dojo's init, so any widgets, etc, never fully parse and set up, and therefore any problems in them do not reveal themselves.

The defect originator needs to update this defect with more information as to what their app is doing with dojo and what widgets it uses.

comment:13 Changed 11 years ago by James Burke

Resolution: invalid
Status: newclosed

jaredj: Thanks for doing this test. I am going to close this bug for now, but the original submitter can reopen with more information.

comment:14 Changed 11 years ago by Adam Peller

turned out to be a dup of #6603 for the record

comment:15 in reply to:  2 Changed 11 years ago by Lahiri

Replying to peller:

There have been other changes regarding javascript: urls too, I believe. Have you tried testing with the latest version of Dojo or at least 1.2.3?

We are using the dojo that came with Portal Server 6.1 which is version 1.1.1

Changed 11 years ago by lahiri

Attachment: Error_request_2.JPG added

Error Screen shot

comment:16 in reply to:  13 Changed 11 years ago by lahiri

Resolution: invalid
Status: closedreopened

Replying to jburke:

jaredj: Thanks for doing this test. I am going to close this bug for now, but the original submitter can reopen with more information.

Please find the attached screenshot which contains the URL which IE terms as an error url-http://:/ I removed the src=":" from dojo.js attribute and that Error URL is gone. Just for testing purpose I updated the dojo version to 1.3 from 1.1.1 which is shipped with Websphere Portal Server 6.1

comment:17 Changed 11 years ago by James Burke

Resolution: invalid
Status: reopenedclosed

lahiri: it looks from that screenshot that you are using HTTPWatch to watch the network traffic. That particular tool seems to catch network requests before they leave the browser, and what you are seeing is a lower level error report. However that error report is not bubbled up to the JavaScript? layer, so it should not be the source of the problem.

As Jared mentioned in a previous comment, by removing that src=":", you are effectively stopping dojo from initializing correctly, and the error is probably related to something that initializes as part of the dojo initialization step, probably as part of a dojo.addOnLoad callback. So it does not really solve the problem, and you are likely to hit subtle issues because dojo is not fully initialized.

The best thing to do is to isolate code that calls dojo.addOnLoad() to see which initialization block might be the source of the real error. I would start with the non-dojo/dijit/dojox addOnLoad calls first. Note that Jared tried a similar test over SSL without removing the src=":" line and all of the dijit tests he tried worked. Feel free to reopen this ticket and post more info if you isolate the dojo.addOnLoad call that might trigger the error.

Note: See TracTickets for help on using tickets.