Helping people with computers... one answer at a time.

"Secure and nonsecure" items is most often the result of bad web page design. As a user it's difficult to avoid without lowering your guard.

Can I get rid of the "This page contains both secure and nonsecure items" warning?

Not that I'm aware of, and not that I would want to. Not being notified is in fact a security risk when visiting sites you don't already know and trust. For the sites you do trust, the message results from bad site design on their part.

Update
Thank you to a few readers who posted a solution to avoiding the warning:

  • When you receive the error message, click Yes.

  • In Internet Explorer, go to Tools, Internet Options, click the Security tab; make sure that in "Select a zone..." window that Internet is selected.

  • Click Custom Level and scroll down about half way to "Display mixed content" in the Miscellaneous section.

  • Change it from Prompt to Enable.

  • Click OK, Yes, and OK. The change should take effect immediately.

Article C1951 - May 27, 2004 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

73 Comments
Greg Pilcher
May 27, 2004 10:41 PM

I apoligize, My question was not clear enough for you to give me the answer I needed. I may have forgotten to mention that this notice isnt when I surf, but when I am answering emails online. It is when I op;en the email in the webmail box at Earthlink, always the message opens up a new window, then that window always asks the same question:

Can I get rid of the "This page contains both secure and nonsecure items" warning? Not that I'm aware of, and not that I would want to. Not being notified is, in fact, a security risk when visiting sites you don't already know and trust. For the sites you do trust ... the message results from bad site design on their part.


Thank you very much for taking the time to answer. I just used Netscape Mail today, and I noticed that it is not giving me that message there. Thank you again.

Leo
May 30, 2004 4:23 PM

Greg: if you're reading your email via a web interface, then my comment still applies. Your Earthlink web interface appears to be showing both secure and nonsecure items at the same time. That's bad design on their part.

Rees
September 20, 2004 7:06 PM

Great question! I am using a site that hasn't been set up properly, and I get that annoying security message often!

I am posting the solution to the issue here. I always support giving people all the info there is, and just warn then that they are subverting a security option. Then the user can make their own decision.

There is a browser setting in IE6 to turn this off (not sure of earlier browsers). Check out Tools > Internet Options > Security > Custom Level > Miscellaneous > Display mixed content. By default its set to prompt, reset it to Enable.

Of course, there are other browsers out there .. Netscape (netscape.com) or Opera (opera.com) to name the two other most popular ones.

Peace,
Rees

Amy
October 7, 2004 10:39 AM

Hi,
On this issue, I am working on the development side of a website and I get this error very often on that website. I know it must be related to the bad design on the website. Could some tell me how to fix it? Your help is very much appreciated.
Amy.

Leo
October 8, 2004 6:48 PM

The typical design mistake is to pick up a graphic from a non-secure site. All graphics and other components need to come from the secure site.

Example: say http://example.com has a logo example.png. The secure site, https://store.example.com wants to use the same logo, and hence has an IMG tag that references http://example.com/example.png. Bingo ... non secure item on a secure site. Copy the logo to the secure site and load it from there.

Nikolay
November 15, 2004 2:43 AM

I had the same problem. It was caused by a missing src attribute in the IFRAME tag. When you set the src, make sure it points to a real file.

Hope this seves somebody's time :)

David
April 13, 2005 3:26 AM

1. Go to the top of your browser and click on Tools and select Internet Options.
2. Click on the Security tab
3. Click on the Custom Level button at the bottom
4. In that top box, scroll down to the Miscellaneous section (look for the Internet Explorer icons next to the topics) and find where it says "Display Mixed Content"
5. Click the Enable bubble to select that option
Disable--you will not see the message anymore, nor will the nonsecure items be displayed
Enable--you will not receive the message anymore, and the nonsecure items will be displayed on the page
Prompt--you will receive the message everytime a website has both secure and nonsecure items on it (this is the current setting in the browser that causes you to receive the message every time).
6. Once you have selected Enable, click on the OK button to close that window, and then click OK again to close the other window.
7. You may need to close your browser and then reopen it to see the changes take effect

DavidL
April 19, 2005 3:30 PM

That's all well and good, but as a developer, how can I tell which things are being picked up as non-secure so that I can correct the issue? I'm going over code from a previous developer and for the life of me I can't see any references to anything outside of our secure domain.

Leo
April 19, 2005 6:16 PM

Basically everything needs to be https ... something isn't. You might try firing up Firefox, and using the Web Developer extension ... it allows you to look at various bits of information including the paths of objects on the page.

Good luck!

leigh
July 11, 2005 8:08 AM

for developers:

from a secure site .i.e https:// - where you reference the codebase for macromedia change the codebase="http://download.macromedia.com/pub/shockwave...... to codebase="https://download.macromedia.com/pub/shockwave..... and this will sort the problem out

John
August 23, 2005 7:59 AM

My problem is that I keep getting the "This page contains both secure and nonsecure items" warning even though "Enable" IS checked in the "Miscellaneous" section of the Security tab of Internet Options. Can anyone tell me what further step I must take to get rid of the nuisance warning?

John
August 23, 2005 3:45 PM

Leo, I found the answer. I discovered that, on the Security tab in Internet Options, I had to make this configuration under "Restricted Sites" also, not just under "Internet" or "Trusted Sites." The problem occurred at games.com where I play Monopoly. I like your site. Very nice that one doesn't have to sign up or login to comment. Thank you very much.

Paul
August 29, 2005 1:02 AM

The problem is generally caused by an iframe on the page. iframes are used under popups to ensure that dropdowns don't paint over the popup (another IE bug).

Gaurav Nanda
September 19, 2005 12:49 PM

To stop getting this message, do the following :
1) Open the browser
2) Go to Tools->Internet Options
3) Click on the security tab.
4) Click on Custom Level
5) In this list, Look for " Display Mixed Content" and click on enable
6) Then look for "Launching programs and files in an IFRAME' and click on enable.
7) Click on OK and then OK again
8) Close all Internet explorer windows

Pat Gard
September 26, 2005 10:49 AM

Microsoft says this is a known issue and has issued a hotfix for it (I don't know if it works and it also requires some registry tweaking), but its only good for Windows XP, 2000, etc, and does not apply to Windows ME and before. Guess which OS I have.
I have enabled all the above mentioned and even enabled them in all the other zones and it still comes back.

Rob Macarthur
November 30, 2005 8:19 AM

I just set the "Display Mixed Content" to enabled for all zones : Internet, Intranet, Trusted and Restricted sites and the warning has gone.

Matthew
January 9, 2006 9:37 AM

Hi Leo,

I am a site developer. There are good reasons why there may be a mix of secure and unsecure elements within a page. For example, within a secure part of a site i developed, i have references to google maps, who - as far as i'm aware - do not offer a secure equivalent to their service (and even if they do, other services don't, so the argument prevails).

Even if you implement the the "brute force" method of segregating all secure information from insecure information (which may not make sense to the user), and then designating every page (of hundreds of pages) as secure or unsecure, you may still have users receive the "you are entering/leaving a secure page" type of message. If there is a not-"bad site design" that can get around this issue, i'm not aware of it.

And besides, users are already trusting me to properly handle their secure information. There are much easier ways for me to abuse that trust then to explicitly put links to unsecure services in my pages. This message is just a nuisance.

Marcio Lima
January 10, 2006 12:25 PM

Hi everybody..

I was facing the same problem mencioned above.

It was caused by an IFRAME I put on my page to have a DIV over a SELECT box. The problem was that my IFRAME didn't have a secure SRC target (actually, it was left blank ;p), so it is treated as a "nonsecure item".

I just could get free from that boring message by adding a SRC URL to the IFRAME.

I hope, it'll be useful!

Marcio Lima
[Email Address Removed]

Rag
February 8, 2006 11:15 AM

hey leo,
i have lost the microsoft word on my computer there is no sign of it how can i get it and i dont have the windows xp cd im in real trouble i need the word but i cant get it so plz can u help me.

Leo
February 8, 2006 11:19 AM

You'll probably need to reinstall Microsoft Office to get Microsoft Word back.

bob
February 14, 2006 1:24 PM

Thanks, Marcio. Not having a src was my problem. I added "blank.html" (nothing in the file except beginning and ending html tags) to the same folder as the file (so that it is within the secure site) and assigned the src attribute to it. Problem resolved!

Thanks also to Leo for the good site and solution.

Bob

Billy
February 23, 2006 8:32 AM

Frankly, this is a stupid warning. It scares users for no reason. There is nothing wrong with having secure and unsecure content on your page. The problem is when your url in the address bar is secure but the form your submitting is unsecure. That's when the warning should be displayed.

There is a very seldom chance that you need to secure images on you page. I.e. Why would you ever need to secure your logo? It doesn't make sense. There is no need to encrypt images, stylesheets, javascript.

Using ssl only encrypts your content as it's passing through the network. The reason why you would encrypt your content is because you don't want people to see it if they're sniffing. Yes, they won't see the content with their packet sniffer, however, that is not good enough. They can just take the url and paste it in the browser. In order for your content to be truely secure you need to develop some authentication system around it. So that if someone tries to access your content such as an image it will prompt them for authentication. Putting authentication on every image on your page is "stupid" unless every image has critical information.

This Internet Explorer feature vexes me.

Nakul
March 19, 2006 10:30 PM

Marcio,

I am facing similar problem, I have checked the IFRAME tag and its pointing to the correct SRC path. can you pls tell me what else or which other part of HTML is causing this error?

how can i get rid of those errors? And most important - I dont want to change any settings of my IE.

Thanks,
Nakul

Slonick
April 6, 2006 5:52 AM

Just add src="javascript:'';"

caro
April 18, 2006 1:37 AM

Hi Everyone !

Same problem... I use Javascript to change the Iframe URL :
Iframe.src = url; The url I get is for example : "index.php5?this=that". This is relative. Is it secure or not ? Can the problem come from this?
Please...
THX !

Caro

Caro
April 18, 2006 1:52 AM

oh, made mistake...
I use XSL to Transform XML into HTML. In my xsl stylesheet, I have : ""
I can't take off this line, so I'm not sure this is the reason... oh oh i'm lost...

caro
April 18, 2006 1:54 AM

Sorry : between the "" :
xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"

Davido
May 18, 2006 8:11 AM

"Tools" > "Internet Options". Select the "Content" tab. Click the "Disable" button under "Content Advisor".

Mark Bennett
June 1, 2006 7:16 PM

Easiest way is the following:

1. In your web browser go to Tools.
2. Select Internet Options from the drop down menu.
3. Click on the Security tab.
4. Click on the Web content zone you use to access the Site.
5. Click Custom level.
6. Scroll down to find the heading Miscellaneous.
7. Find the sub-heading Display Mixed Content.
8. Click Enable.
9. Click OK.
10. In response to ‘Are you sure you want to change the security settings for this zone?’ click Yes.
11. Click OK to close the Internet Options box.

Dooshkin
June 12, 2006 7:31 AM

Not sure if it's relevant. But my site was giving this error, until i'd made my 'include' folder run under SSL, as well as my main folder.
So, check the code insecure links, and then double check all folders in the website are using ssl.

servo lotis
September 21, 2006 9:08 AM

you can find a great guide here: http://www.wallpaperama.com/forums/windows-disable-this-page-contains-both-secure-and-nonsecure-items-t274.html

John Duke
November 8, 2006 7:55 PM

There is a really cool fix for this at http://www.htaccesselite.com/htaccess/fix-for-warning-page-contains-secure-and-nonsecure-items-vt129.html

Basically you can use mod_rewrite in an htaccess file to internally redirect https:// to http:// so that you can post https://x.com/image.gif to eliminate the warning message, but the server will internally request http://x.com/image.gif instead!

Greg
February 23, 2007 11:35 AM

Thanks Davido! Worked beautifully on the Google Sitemaps. Every page would bring up the prompt and was very annoying.

Ken
March 7, 2007 11:58 AM

Hi. Be sure to check your external stylesheets for non-secure references to images.

For example, we were using a stylesheet (with a https page) that loaded http://www.csun.edu/images/arrow.gif as a separator in a list. Changing that to ../images/arrow.gif made the annoying message go away in IE.

downhill
April 26, 2007 7:47 AM

The solution our company has entered into its FAQ is as follows --

CAUSE: The page you are attempting to view is a secured site (note the https in the URL prefix) but it contains unsecured data.

SOLUTION:
1. When you receive the error message, click Yes.
2. In Internet Explorer, go to Tools, Internet Options, Security tab; make sure that in Select a Web content zone... that Internet is selected.
3. Click Custom Level and scroll down about half way to Display mixed content in the Miscellaneous section.
4. Change it from Prompt to Enable.
5. Click OK, Yes, OK. The change should take effect immediately.

Adam
May 27, 2007 11:00 AM

This happens if you use secure google, https://mail.google.com/ but if you search the page, there are no "http://" connections present....so as someone pointed out, they must be linking to an "unsecure" image within one of their .js or .css files...

tfcc01
June 7, 2007 12:38 AM

Downhill - you are a star. Thanks mate. Worked perfectly.

Tomas
June 18, 2007 5:17 AM

Thank you downhill. Now I'll need double times less clicks.

timo
July 16, 2007 12:17 AM

great help, thank you downhill!

cresh
July 19, 2007 10:16 AM

Worked like a dream, Downhill, thanks.

Scott
August 30, 2007 10:32 PM

In the "Select a zone..." window select Internet and Trusted (Local if you wish). If you only select Internet, then sites you add to your Trusted list will still warn you that it is a security risk.

Me: Internet Explorer, I trust website [whatever].

Internet Explorer: OK. Hey this "trusted" site has mixed content, are you sure you want to display it?

Me: ...

Tralfaz
September 14, 2007 12:22 PM

Why not just select Disable? This is the setting I use and I have not noticed any problems. You can always change it back to enable if content is not displayed.

AjaxTrend
February 28, 2008 12:38 PM

How can I know which elements causes such warning. I have analyzed all elements in my page, and all elements in the page are access over https but still I get secured and nonsecure warning in IE6. I would appreciate if you can tell me some tool to analyze pages.

KC
March 8, 2008 2:48 PM

Hi,

I have experienced a security pop up on my website, each time I open a new page. Our site is over 1300 pages in size, this has caused some active members to vanish. What could I do to get rid of the SSL security error altogether, without having to ask each member to reconfigure their browser settings?

I read somewhere about the https:// verses using http:// I am very new to this sort of thing. I would like a very secure website, although can there be such a thing as too secure?

Thanks
If you don't respond, its okay.
If you can check out my website, I would pay, LOL. I'm really getting frustrated with this. Its one stop write shop. I will add a link there for your business when our resource page is up and running, too. If you don't mind, thank you.

PS. I read the rules, so if you cannot keep my comment up, its okay. Just needing some help with this issue before I go bazerk. href="http://www.onestopwriteshop.com">http://www.onestopwriteshop.com

Kat
May 13, 2008 8:43 PM

Jane's comment (probably above mine), caught my eye because the same thing's been happening when I go to login at yahoo.

It's really annoying, and I thought it was just me. Apparently not!
Nice to know why it's happening now, though.

Simple
May 23, 2008 8:01 AM

What I do not understand is how a site like Amazon.com can have both http:// and https:// links on a https:// page.
When you go to their Sign In page you are brought to a secure page but the links surrounding the sign-in form are http:// can someone explain how this is done without that secure/unsecure items popup appearing? Thx.

don
June 13, 2008 9:52 AM

I get this (I think) because of a Flash element that I have placed on the page. The codebase URLs are http; not sure yet if there is a secure site to DL these codebases.

John Hoffmann
June 18, 2008 1:51 PM

Hi,

SOLVED?!?!

Long story short, to eliminate, as a user, that annoying 'secure or non-secured' popup make sure to ENABLE ALL four occurences of Display Mixed Content, i.e.: Internet, Local Intranet, Trusted Sites, Restricted Sites.

Worked like a charm.

Good luck.

JHH

anonymous man
July 17, 2008 8:01 AM

I'm not an expert on this, but basically, if you pages pull non http content such as an image or a script, that error message will pop up.

Basically, just ensure images don't have full paths such as (img src="http://somepath.gif"> and scripts aren't included such as .

Instead, replace all paths with relatives ones. This means they will adopt whichever http protocol currently in use. If, you have to specify a full path, try using https. However, keep in mind there will be advanced reason you will have to learn about why this may or may not work.

There may also be other nonsecure elements I'm not thinking on your pages that might cause the popup.

Best of luck.

Mike Blevins
August 13, 2008 4:16 PM

"This page contains both secure and nonsecure items" THANK you! This worked EXACTLY as the article described. And it was immediate. I opened a tab and surfed to a site I use MANY times daily where I got that inane prompt. I did not get it after following the aritcle simple steps. ALL "fixes" should be this easy and this effective!

Just-a-guy
August 19, 2008 5:07 PM

After reading the comments, I realized what
was causing the problem. I am testing a new
page on a secure web site. But I left my
base anchor specification to point to a file on
my local "C" drive.

By changing my new page's HREF in the element to point back to the website I was able to eliminate the nagging messages.

I have references to both HTTP and HTTPS on my
web page, all going back to the original website.
It does not cause that nagging message. It probably (among other causes) occurs if the page has a reference is to some location outside of the website from which the origianl page comes.

Wallace Woodard
December 30, 2008 7:48 AM

I tried all of the client side settings for Internet Explorer in these articles and none of it worked. What did fix the problem was re-creating the user's profile on the machine. I realized this after logging myself into the workstation and let the user login to the sites that were getting the error and the error did not re-occur

D Hickman
March 9, 2009 8:44 PM

I tried the readers' suggestion to change the 'mixed content' setting. It worked great! Thanks - this has been a nuisance with that annoying message on Amazon.

Simon
March 16, 2009 5:20 AM

I agree with the developer in that sometimes this is unavoidable and not necessarily bad design. This happens with google maps for me too.

To resolve in IE7 with google maps issue, I have added both the main site AND the "nonsecure" site to trusted zones, and set the option appropriately.

This means my trusted zones contains

https://mydomain/
http://maps.google.com/

This means unchecking the "sites in this zone require https" option.

Tom
March 24, 2009 2:32 PM

Doesn't work in IE 6.0.3790 - happens for me with a site that is in a Trusted zone, and for Trusted Sites, showing Mixed Content is already set to "Enable" (I checked). Need another theory.

Ian Wright
June 16, 2009 9:19 PM

Ok, I am receiving the same dreaded message however as we are affliated with the Government, our Internet Security settings have been disabled. Now I have checked all through the source code (HTML, CSS and Javascript files) and all references to items are either relative or if they are absolute, they are https://.....

Any suggestions? Please

Anneline
September 28, 2009 3:19 AM

Yes, in Internet Explorer the security tab is blocked and I cannot change any settings. What am I to do next?

Vikram Reddy Tummala
October 30, 2009 8:17 AM

Hi All,
I was able to get rid of the problem. Following are my comments or suggestions on this -
1. If at all you are including other jsp, js, images and css files, do not specify the full URL like "http:\\ ... ". Try giving the relative path / context path.
2. If you are using IFRAME, donot miss to specify SRC attribute or leaving it empty. Give some blank page url atleast or hide it in the page.
3. Changing the IE Settings to eliminate the alert does help, but this is not a correct solution. Client may come back and say he is not ready to do this. And more over what if the application is being used by 1000+ users. You cannot just shoot an email to all and because of these settings, they cannot view alerts from other secured sites too.

Arunangshu Sarkar
November 20, 2009 11:05 AM

How can i make disable this messages by programming in VB.NET.

elfsoup
November 26, 2009 8:54 AM

If you are using flash on your site make sure you change http to https in the adobe plugin line.

jeff weidner
January 3, 2010 10:42 AM

1) Open Internet Explorer

2) Click on Tools

3) Click on Internet Options

4) Click on the Security Tab

5) Click on the Custom Level button

6) Under the Miscellaneous section look for "Display Mixed Content"

7) Click on Disable for Display Mixed Content instead of Prompt

8) Click on OK twice

9) Close Internet Explorer and reopen

10) Open the webpage that was displaying the warning message, the message should not appear now.

http://www.pchell.com/support/secureandnonsecurewarning.shtml

paul
January 6, 2010 1:38 PM

it doesnt work. on ebay i get it constantly no matter whether its enabled or disabled. i just cant get rid of the bloody message. im not pc literate enuf to really sort out how tos ive seen other than the one on here and it doesnt work. im sick to death of the bloody message

Ramakrishnan
February 4, 2010 11:30 AM

The article provides a very detailed and very good solution and it worked for me.. Its really awesome.. i really want to appreciate the people who own this website and whoever contributed to this article

John
February 8, 2010 10:11 AM

If the site that is giving you this message is a site you trust, then you can add the site to your trusted sites. Once it is added to the trusted sites, you can then make the recommended modification to your security settings, but do it for trusted sites instead of for the entire internet.

Just a suggestion that may help get rid of an annoyance, and keep you a bit safer while surfing.

James
April 2, 2010 6:37 AM

websites should not have this problem if the all images and javascript files url starts with https instead of http. this took me weeks to fix on my australia gift site. have a look at my checkout and cart pages

Mihaly
August 13, 2010 3:33 AM

This hint does not help in IE6 with local intranet page.

da808wiz
December 1, 2010 2:06 PM

what I do is capture the prefix of the current browser url up to the last slash, and everywhere where the url() image is specified in javascript, I place the prefix.

example:

var prefix = location.href.substring(0,location.href.lastIndexOf("/")+1); // prefix is to remove ssl warning contains nonsecure items.

cell.innerHTML = ""

The prefix has to be used everywhere. I mean EVERYWHERE a dynamic item is created using javascript and specifying the url() to an image.

da808wiz
December 1, 2010 2:11 PM

looks like the cell.innerHTML content was stripped.

trying with lt and gt:

cell.innerHTML = "<input type=\"button\" style=\"background:url("+prefix+"images/fancybutton.jpg)\">";

DesertSkunk
April 17, 2011 12:32 PM

Thank You, Thank You, Thank You!!!!! This warning has been driving me nuts! Apparently the setting was changed by an IE8 Upgrade? as I just started getting them from sites that I had no problem accessing in the past. Just make sure you scroll down to the " Display mixed content " section before making the change. Worked like a charm Appreciate the help.

Stu
June 1, 2011 2:27 PM

Many thanks for that tip, works brilliantly. Yahoo have messed up their home page and for days i got that error message and had to keep clicking to get rid of it. Your instructions have stopped this and stopped me getting annoyed. Many thanks

Sunny
January 29, 2012 11:30 AM

Doesn't work even has error

check below;
Webpage error details


Message: 'cell' is undefined
Line: 426
Char: 1
Code: 0

blessie
June 26, 2012 12:33 AM

nice this is very helpful! :)

Christopher
September 5, 2012 7:21 AM

If I may: That's an insecure change to make to your Internet Zone, but if it occurs for one or a few sites (like Salesforce.com in my case) move '*.theneededoffendingsite.com' into Trusted Sites first. Then, make the Display Mixed Content change to Enable in Trusted Sites. That leaves the policy in place for the great unwashed interwebs.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.