Geek Answers Handbook

Dojo Encoding with IE and SSL

My application uses Dojo 1.1.1 on the site for SSL only. It currently uses dijit.ProgressBar and dijit.form.DateTextBox .

Everything works amazingly in Firefox 2 and 3, but as soon as I try the same scripts in IE7, the results are the annoying Security Information dialog:

This page contains both safe and insecure items. Do you want to display insecure items?

I looked at the page for any link other than HTTPS to no avail. This seems to be something special for dojo.js It uses an iframe failure where src was set to nothing, but now it is fixed (when viewing the source).

Does anyone else have this problem? What are the best methods to get Dojo to play well with IE on an SSL enabled web server?

+6
javascript internet-explorer ssl dojo
source share
3 answers

After viewing the JavaScript source code for Dijit, I thought that most likely the error was due to a "unsafe" rejection of the dynamically generated IFRAME. Note that there are two versions of the script file, the uncompressed one represents the original source (dijit.js.uncompressed.js), and the standard one (dijit.js) is compressed for optimal transfer time.

Since the uncompressed version is the most readable, I will describe my solution based on this. On line # 1023, the IFRAME is displayed in JavaScript:

 if(dojo.isIE){ var html="<iframe src='javascript:\"\"'" + " style='position: absolute; left: 0px; top: 0px;" + "z-index: -1; filter:Alpha(Opacity=\"0\");'>"; iframe = dojo.doc.createElement(html); }else{...

What is the problem? IE does not know if src for IFRAME is "safe", so I replaced it with the following:

 if(dojo.isIE){ var html="<iframe src='javascript:void(0);'" + " style='position: absolute; left: 0px; top: 0px;" + "z-index: -1; filter:Alpha(Opacity=\"0\");'>"; iframe = dojo.doc.createElement(html); }else{...

This is the most common issue with JavaScript and SSL tools in IE. Since IFRAMEs are used as spacers due to poor DIV overlay support, this problem is extremely common.

My first reloads of 5-10 pages are fine, but then a security error reappears. How is this possible? The same page is "secure" for 5 reloads, and then it is selected by IE as "unsafe" when loading for the 6th time.

As it turned out, there is also a background image that is set in the onload event for dijit.wai (line # 1325). It reads something like this:

 div.style.cssText = 'border: 1px solid;' + 'border-color:red green;' + 'position: absolute;' + 'height: 5px;' + 'top: -999px;' + 'background-image: url("' + dojo.moduleUrl("dojo", "resources/blank.gif") + '");';

This will not work because the background-image tag does not contain HTTP. Despite the fact that the location is relative, IE7 does not know if it is protected, so a warning is issued.

In this particular case, this CSS is used to check for accessibility (A11y) in Dojo. Since this is not what my application will support, and since there are other common error problems with this method, I decided to remove everything in onload () for dijit.wai.

Things are good! No sporadic security issues when loading the page.

+9
source share

If your page downloads files from a URL other than https, Firefox should tell you the same thing. Instead of an error, the lock symbol at the bottom (in the status bar) should be crossed out. Are you sure this is not so?

If you see a symbol, click on it and check which files are β€œinsecure”.

+1
source share

If you use a CDN, you can enable all modules using HTTPS, as shown here .

 <script type="text/javascript"> djConfig = { modulePaths: { "dojo": "https://ajax.googleapis.com/ajax/libs/dojo/1.3.2/dojo", "dijit": "https://ajax.googleapis.com/ajax/libs/dojo/1.3.2/dijit", "dojox": "https://ajax.googleapis.com/ajax/libs/dojo/1.3.2/dojox" } }; </script> <script src="https://ajax.googleapis.com/ajax/libs/dojo/1.3.2/dojo/dojo.xd.js" type="text/javascript"></script>

You can test different versions if you want. Currently, the latest is 1.6.1

+1
source share

More articles:


All Articles