IE (Internet Explorer) attempts to beef up web browsing security to leave behind the perception that it’s a insecure web browser when comparing other brands of web browser such as Firefox, Safari, Opera, and Chrome. As a result there are various security-related messages that pop up now and then when browsing Internet with IE. One of which is security warning related to web pages that contain mixed contents, where contents served securely (via HTTPS encrypted by SSL) and non-secure connection (via HTTP) are displayed together.
When IE (in versions prior to IE9 such as IE7 and IE8), the following pop-up message is displayed when IE encounters web pages with mixed contents:
Do you want to view only the webpage content that was delivered securely?
This webpage contains content that will not delivered using a secure HTTPS connection, which could compromise the security of the entire webpage.
End-user has 3 options – “More Info” which opens a help window explaining what’s the secure connections and mixed content; “Yes” which blocks off non-secure content on the web page; and “No” which displays mixed content or elements delivered through both secure and non-secure web server connections.
In IE9, the message is shorten to just the following message on a yellow bar at the bottom of browser:
Only secure content is displayed.
End-users can click on “What’s the risk? which opens a Help window; or click on “Show all content” button to force IE shows both secure and non-secure elements; or simply ignore and click on “X” to close the notification message.
By default, IE prior that IE9 will prompt for choice when visiting websites with mixed contents, as on a web page served via HTTPS secure connection, a existence of non-secure contents attempted to transmit via HTTP connection may mean that the website has been hacked or hijacked, and planted with malicious code. In addition, script on the non-secure web page has the potential risk to access information from the secure content. From IE9 onwards, IE defaults to only display secure content, unless user explicitly click on the “show all content” button.
Nonetheless, most of the time, the mixed contents situation can happen because the supposedly secure websites display externally hosted content which is not secure, such as advertisements, images, audios or videos.
IE does provide an option which can be configured to automatically display all content, both secure and non-secure content, on web pages that come with mixed content. Here’s how to always display all mixed contents in IE to suppress and disable any warning message on secure and/or non-secure content.
- In Internet Explorer, go to Tools (Click on Gear icon or press Alt to reveal Menu bar) -> Internet Options.
Alternative: Control Panel -> Network and Internet Connections (Windows XP) or Network and Internet (Windows Vista and Windows 7) -> Internet Options.
- Go to Security tab.
- Select and highlight Internet zone (if it’s not been selected by default).
- Click on Custom level button under “Security level for this zone” section.
- Under “Miscellaneous” branch, locate Display mixed content setting, and click on the radio button of Enabled.
- Click Yes when asked to confirm to change the settings for this zone.
- Click OK to close the Internet Options dialog box.
After the change, IE will automatically display all secure or non-secure elements on a web page without warning.