Slider Security Problem

ceottaki · November 28, 2012, 5:08pm

I’m using the slider in a website that is served through HTTPS and Internet Explorer throws the following message when the page is loaded:

“Do you want to view only the webpage content that was delivered securely?”

Removing the slider sorts the issue out. I’ve been going through the JS code, specially in dhtmlxcommon.js and I managed to remove all calls to XMLHttpRequest and to the ActiveX objects, which were likely to cause this issue, but I’m still with no luck.

Any ideas?

Thanks!

Darya · November 29, 2012, 10:03am

Could you provide us a direct link to your project with slider?

ceottaki · November 29, 2012, 3:47pm

I’m sorry, I can’t, that hasn’t been published yet and even if it had, it’s an internal part of my employer’s website, accessible only with a login.

Darya · November 29, 2012, 3:55pm

So, what kind of initialization script can you provide us to reproduce your issue?

ceottaki · November 29, 2012, 4:36pm

This is a simplified version of the page (please bear in mind that I’ve added all JS directly to the page here but everything is actually in separate JS files):

<html>

<head>
    <link rel="STYLESHEET" type="text/css" href="Scripts/dhtmlxSlider/codebase/dhtmlxslider.css" />
    <script type="text/javascript" src="Scripts/jquery-1.8.0.min.js"></script>
</head>

<body>
    <script type="text/javascript">
    window.dhx_globalImgPath = "Scripts/dhtmlxSlider/codebase/imgs/";
    </script>
    <script type="text/javascript" src="Scripts/dhtmlxSlider/codebase/dhtmlxcommon.js"></script>
    <script type="text/javascript" src="Scripts/dhtmlxSlider/codebase/dhtmlxslider.js"></script>
    <script type="text/javascript" src="Scripts/dhtmlxSlider/codebase/ext/dhtmlxslider_start.js"></script>

    <div id="pcSlider"></div>

    <script type="text/javascript">
    function SliderValueChanged(pos, slider) {
        // doing some calculations here based on the position of the slider.
    }

    var slider = new dhtmlxSlider("pcSlider", 735, null, null, 0, maxChargeRatio, 0, 0.01);
    slider.attachEvent("onChange", SliderValueChanged);
    slider.init();
    slider.setValue(0);
    </script>
</body>

</html>

This simple page, served under HTTPS, gives me that error on IE (and IE only, I’ve tested Chrome, Safari and Firefox and they don’t have a problem with it).

Thanks!

ceottaki · November 29, 2012, 4:42pm

Sorry, the code in the previous post had an undeclared variable. This one has been corrected:

<html>

<head>
    <link rel="STYLESHEET" type="text/css" href="Scripts/dhtmlxSlider/codebase/dhtmlxslider.css" />
    <script type="text/javascript" src="Scripts/jquery-1.8.0.min.js"></script>
</head>

<body>
    <script type="text/javascript">
    window.dhx_globalImgPath = "Scripts/dhtmlxSlider/codebase/imgs/";
    </script>
    <script type="text/javascript" src="Scripts/dhtmlxSlider/codebase/dhtmlxcommon.js"></script>
    <script type="text/javascript" src="Scripts/dhtmlxSlider/codebase/dhtmlxslider.js"></script>
    <script type="text/javascript" src="Scripts/dhtmlxSlider/codebase/ext/dhtmlxslider_start.js"></script>

    <div id="pcSlider"></div>

    <script type="text/javascript">
    function SliderValueChanged(pos, slider) {
        // doing some calculations here based on the position of the slider.
    }

    var slider = new dhtmlxSlider("pcSlider", 735, null, null, 0, 5, 0, 0.01);
    slider.attachEvent("onChange", SliderValueChanged);
    slider.init();
    slider.setValue(0);
    </script>
</body>

</html>

Darya · November 29, 2012, 4:57pm

I made a sample based on your code - it works fine in IE.
12.11.28.rar (39.6 KB)

ceottaki · November 29, 2012, 8:59pm

It works in IE, but if the page is served through a certificate with SSL and HTTPS, a security warning is displayed (at least with IE 8). I would like to get rid of that warning… Did you try it over HTTPS?

Thanks again.

Alexandra · December 3, 2012, 2:26pm

Does the problem occur when you open Darya’s sample in browser ? We have tested the demo in IE6, IE7 and IE8 - the problem does not occur.

Did you try it over HTTPS?

Yes, we did run it like https:// …

ceottaki · December 3, 2012, 5:35pm

Yes, it does occur with the code sent by Darya, I’m afraid to say.
I will try to provide you with a live page so you can see it, I’ll post again tomorrow.

Thank you.

ceottaki · December 6, 2012, 9:40am

Figured it out!

The problem wasn’t really happening with the code Darya had sent, it was happening to me because I had always added code to set the skin in there before trying it. I finally tried without the skin and that worked.

So the problem was that the image for the skin I was using wasn’t being loaded with HTTPS, because of the line window.dhx_globalImgPath = “dhtmlxSlider/codebase/imgs/”;

Changing it to something like window.dhx_globalImgPath = “https://myhost/dhtmlxSlider/codebase/imgs/”; fixed the problem.

A more generic approach that would always use the correct protocol would be:

var baseLocation = window.location.protocol + "//" + window.location.hostname + "/";
for (i = 0; i < window.location.pathname.split("/").length - 1; i++) {
    if (window.location.pathname.split("/")[i].length != 0) {
        baseLocation += window.location.pathname.split("/")[i] + "/";
    }
}
window.dhx_globalImgPath = baseLocation + "dhtmlxSlider/codebase/imgs/";

Thanks for all your help.