You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@myfaces.apache.org by Je...@go.com.mt on 2006/04/25 16:04:40 UTC
Tomahawk popup over HTTPS
Hi all,
I have a myfaces site which I am serving over HTTPS. On the site I am
making use of the tomahawk popup component to popup a panel when the user
moves his mouse over an image. The problem is that in Internet Explorer
when you move the mouse over the image, just before the popup comes up, IE
shows a warning saying "This page contains both secure and nonsecure
items. Do you want to display the nonsecure items?". As far as I can see
answering both Yes and No has no effect on the resultant behaviour of the
popup.
Does anyone know why this is happening? My current guess is that for some
reason IE tries to retrieve the required javascript (JSPopup.js) over http
rather than https. Looking at the page source generated by myfaces there
is a script tag pointing to this file. However, the path is relative and
the protocol is not specified. Hence my suspecting that IE uses HTTP,
hence the warning.
Is my diagnosis correct? If so, how can I force IE to use HTTPS? If this
is not the reason, anyone has better ideas?
Note that the issue does not occur on Firefox.
Thanks alot
Jean
Re: Tomahawk popup over HTTPS
Posted by Andrew Robinson <an...@gmail.com>.
Okay, here is the work around for this issue (note that if the popup
hovers over an IE SELECT control, it will have the incorrect z-index
due to a bug in IE <= 6):
<body onload="window['orgApacheMyfacesPopupfixIE'] = function() {}">
This will turn off the IE "hack". Since an IFRAME will not be used,
there will no longer be the warning of insecure items.
-Andrew
On 5/28/06, Andrew Robinson <an...@gmail.com> wrote:
> I was looking into this a bit further to see if I could pinpoint the
> cause and it looks as if the problem is a result of the creation of an
> IFRAME in the "orgApacheMyfacesPopupfixIE" JavaScript function.
>
> What is the purpose of creating an IFRAME in IE? Is it because of IE's
> SELECT z-index bug or is there another reason. It seems the side
> affect is worse for HTTPS pages (for every page that has the control -
> when the popup is shown - the user is asked if they want to allow
> unsecure items to be displayed).
>
> Before I go and remove this call in JS for my own environment I wanted
> to know the rational behind it.
>
> Thanks,
> Andrew
>
> On 4/27/06, Andrew Robinson <an...@gmail.com> wrote:
> > I don't think that the popup asks the server for anything. The HTML
> > comes from javascript and the document.write method (which I opened a
> > JIRA issue on). IE may not be liking the document.write being used in
> > a secure page after the page has been finished loading. I cannot say
> > for sure at all, but it would not surprise me.
> >
> > I opened JIRA so that document.write can be removed. document.write
> > does not work with AJAX well at all and XHTML specification has
> > removed that method, so it should not be used.
> >
> > Perhaps if the popup doesn't use this anymore the issue will go away.
> >
> > On 4/27/06, JeanClaude.Pace@go.com.mt <Je...@go.com.mt> wrote:
> > >
> > > To be honest I wouldn't like to introduce an extra library for such simple
> > > functionality. I considered doing away with the tooltip component but using
> > > the title attribute or the alt attribute. Unfortunately Firefox doesn't
> > > display the alt text and it truncates the title text.
> > >
> > > So the popup doesn't work well on Explorer while title/alt don't work well
> > > on Firefox... :-(
> > >
> > > Strangely I was examining the requests sent by Explorer over the network
> > > when using the popup and I could spot no requests that were sent over HTTP
> > > (not S). In this sense, I can't see why Explorer is complaining...
> > >
> > > Jean
> > >
> > >
> > > "Gilles DEMARTY" <gi...@gmail.com> wrote on 27/04/2006 10:19:38:
> > >
> > >
> > > > > In shorter terms, is there any reason why the Tomahawk Popup would
> > > > cause data to be passed over HTTP when it is used on a site which is
> > > > served over HTTPS? Is there any workaround/solution?
> > > > >
> > > >
> > > > Hi Jean,
> > > >
> > > > Got the same issue here. No workaround found until now.
> > > > Maybe it's worth a JIRA ticket.
> > > >
> > > > By the way, it could be interesting to use DOJO 'Tooltip' widget to
> > > > render the popup ?
> > > >
> > > > > Thanks
> > > > >
> > > > > Jean
> > > > >
> > > > >
> > > > >
> > >
> > >
> >
>
Re: Tomahawk popup over HTTPS
Posted by Andrew Robinson <an...@gmail.com>.
I was looking into this a bit further to see if I could pinpoint the
cause and it looks as if the problem is a result of the creation of an
IFRAME in the "orgApacheMyfacesPopupfixIE" JavaScript function.
What is the purpose of creating an IFRAME in IE? Is it because of IE's
SELECT z-index bug or is there another reason. It seems the side
affect is worse for HTTPS pages (for every page that has the control -
when the popup is shown - the user is asked if they want to allow
unsecure items to be displayed).
Before I go and remove this call in JS for my own environment I wanted
to know the rational behind it.
Thanks,
Andrew
On 4/27/06, Andrew Robinson <an...@gmail.com> wrote:
> I don't think that the popup asks the server for anything. The HTML
> comes from javascript and the document.write method (which I opened a
> JIRA issue on). IE may not be liking the document.write being used in
> a secure page after the page has been finished loading. I cannot say
> for sure at all, but it would not surprise me.
>
> I opened JIRA so that document.write can be removed. document.write
> does not work with AJAX well at all and XHTML specification has
> removed that method, so it should not be used.
>
> Perhaps if the popup doesn't use this anymore the issue will go away.
>
> On 4/27/06, JeanClaude.Pace@go.com.mt <Je...@go.com.mt> wrote:
> >
> > To be honest I wouldn't like to introduce an extra library for such simple
> > functionality. I considered doing away with the tooltip component but using
> > the title attribute or the alt attribute. Unfortunately Firefox doesn't
> > display the alt text and it truncates the title text.
> >
> > So the popup doesn't work well on Explorer while title/alt don't work well
> > on Firefox... :-(
> >
> > Strangely I was examining the requests sent by Explorer over the network
> > when using the popup and I could spot no requests that were sent over HTTP
> > (not S). In this sense, I can't see why Explorer is complaining...
> >
> > Jean
> >
> >
> > "Gilles DEMARTY" <gi...@gmail.com> wrote on 27/04/2006 10:19:38:
> >
> >
> > > > In shorter terms, is there any reason why the Tomahawk Popup would
> > > cause data to be passed over HTTP when it is used on a site which is
> > > served over HTTPS? Is there any workaround/solution?
> > > >
> > >
> > > Hi Jean,
> > >
> > > Got the same issue here. No workaround found until now.
> > > Maybe it's worth a JIRA ticket.
> > >
> > > By the way, it could be interesting to use DOJO 'Tooltip' widget to
> > > render the popup ?
> > >
> > > > Thanks
> > > >
> > > > Jean
> > > >
> > > >
> > > >
> >
> >
>
Re: Tomahawk popup over HTTPS
Posted by Andrew Robinson <an...@gmail.com>.
I don't think that the popup asks the server for anything. The HTML
comes from javascript and the document.write method (which I opened a
JIRA issue on). IE may not be liking the document.write being used in
a secure page after the page has been finished loading. I cannot say
for sure at all, but it would not surprise me.
I opened JIRA so that document.write can be removed. document.write
does not work with AJAX well at all and XHTML specification has
removed that method, so it should not be used.
Perhaps if the popup doesn't use this anymore the issue will go away.
On 4/27/06, JeanClaude.Pace@go.com.mt <Je...@go.com.mt> wrote:
>
> To be honest I wouldn't like to introduce an extra library for such simple
> functionality. I considered doing away with the tooltip component but using
> the title attribute or the alt attribute. Unfortunately Firefox doesn't
> display the alt text and it truncates the title text.
>
> So the popup doesn't work well on Explorer while title/alt don't work well
> on Firefox... :-(
>
> Strangely I was examining the requests sent by Explorer over the network
> when using the popup and I could spot no requests that were sent over HTTP
> (not S). In this sense, I can't see why Explorer is complaining...
>
> Jean
>
>
> "Gilles DEMARTY" <gi...@gmail.com> wrote on 27/04/2006 10:19:38:
>
>
> > > In shorter terms, is there any reason why the Tomahawk Popup would
> > cause data to be passed over HTTP when it is used on a site which is
> > served over HTTPS? Is there any workaround/solution?
> > >
> >
> > Hi Jean,
> >
> > Got the same issue here. No workaround found until now.
> > Maybe it's worth a JIRA ticket.
> >
> > By the way, it could be interesting to use DOJO 'Tooltip' widget to
> > render the popup ?
> >
> > > Thanks
> > >
> > > Jean
> > >
> > >
> > >
>
>
Re: Tomahawk popup over HTTPS
Posted by Je...@go.com.mt.
To be honest I wouldn't like to introduce an extra library for such simple
functionality. I considered doing away with the tooltip component but
using the title attribute or the alt attribute. Unfortunately Firefox
doesn't display the alt text and it truncates the title text.
So the popup doesn't work well on Explorer while title/alt don't work well
on Firefox... :-(
Strangely I was examining the requests sent by Explorer over the network
when using the popup and I could spot no requests that were sent over HTTP
(not S). In this sense, I can't see why Explorer is complaining...
Jean
"Gilles DEMARTY" <gi...@gmail.com> wrote on 27/04/2006 10:19:38:
> > In shorter terms, is there any reason why the Tomahawk Popup would
> cause data to be passed over HTTP when it is used on a site which is
> served over HTTPS? Is there any workaround/solution?
> >
>
> Hi Jean,
>
> Got the same issue here. No workaround found until now.
> Maybe it's worth a JIRA ticket.
>
> By the way, it could be interesting to use DOJO 'Tooltip' widget to
> render the popup ?
>
> > Thanks
> >
> > Jean
> >
> >
> >
Re: Tomahawk popup over HTTPS
Posted by Gilles DEMARTY <gi...@gmail.com>.
> In shorter terms, is there any reason why the Tomahawk Popup would cause data to be passed over HTTP when it is used on a site which is served over HTTPS? Is there any workaround/solution?
>
Hi Jean,
Got the same issue here. No workaround found until now.
Maybe it's worth a JIRA ticket.
By the way, it could be interesting to use DOJO 'Tooltip' widget to
render the popup ?
> Thanks
>
> Jean
>
>
>
Re: Tomahawk popup over HTTPS
Posted by Je...@go.com.mt.
In shorter terms, is there any reason why the Tomahawk Popup would cause
data to be passed over HTTP when it is used on a site which is served over
HTTPS? Is there any workaround/solution?
Thanks
Jean
JeanClaude.Pace@go.com.mt
25/04/2006 16:04
Please respond to
"MyFaces Discussion" <us...@myfaces.apache.org>
To
users@myfaces.apache.org
cc
Subject
Tomahawk popup over HTTPS
Hi all,
I have a myfaces site which I am serving over HTTPS. On the site I am
making use of the tomahawk popup component to popup a panel when the user
moves his mouse over an image. The problem is that in Internet Explorer
when you move the mouse over the image, just before the popup comes up, IE
shows a warning saying "This page contains both secure and nonsecure
items. Do you want to display the nonsecure items?". As far as I can see
answering both Yes and No has no effect on the resultant behaviour of the
popup.
Does anyone know why this is happening? My current guess is that for some
reason IE tries to retrieve the required javascript (JSPopup.js) over http
rather than https. Looking at the page source generated by myfaces there
is a script tag pointing to this file. However, the path is relative and
the protocol is not specified. Hence my suspecting that IE uses HTTP,
hence the warning.
Is my diagnosis correct? If so, how can I force IE to use HTTPS? If this
is not the reason, anyone has better ideas?
Note that the issue does not occur on Firefox.
Thanks alot
Jean