Stop the "page contains secure and nonsecure items" warning

Are your SSL web pages plagued by the browser warning "This page contains both secure and nonsecure items. Do you want to display the nonsecure items?"

Do you want to display nonsecure items?

This is a common error that occurs when some element on a secure web page (one that is loaded with https:// in the address bar) is not being loaded from a secure source. This usually occurs with images, frames, iframes, Flash, and JavaScripts. If you are having trouble finding what elements are loading from http instead of https, try WhyNoPadLock.com. Once you found the elements, there are a few ways to fix them:

1. Change all URLs to https

Just open up the offending web page and search for http://. Change the references on all images, iframes, Flash, and Javascripts to https://. For example.

<img src="https://www.domain.com/image.gif" alt="" />

This may not work if you are loading an image from another site that does not have SSL set up. Also, with this method you'll be loading SSL images even when the client is loading from a non-secure page. This will add extra processing load on the server and client. This is definitely not recommended for a high volume site.

2. Change all links to // or make them relative

Rather than changing all the links to https://, change them to just //

<img src="//www.domain.com/image.gif" alt="" />

Alternatively, if the images or scripts are located on the same domain, you can access them relatively, rather than absolutely:

<img src="image.gif" alt="" />

Using this method, the browser will know that it must load the image securely if the web page is being loaded securely but it will also load the image normally if the page is not being accessed securely. The image will still need to be available on the other server securely. This is likely the best method of getting rid of the pesky "Do you want to display the nonsecure items?" warnings.

3. Change the browser settings

It is best to change the code of the page that is giving the error, but if you don't have access to change the code, you can always tell your personal web browser not to display that message. To do so follow these steps for Internet Explorer:

  1. Go to Tools, Internet Options.
  2. Select the "Security" Tab and then click on the "Custom Level" button.
  3. Scroll down until you see the option: "Display mixed content". Select "Enable".
  4. Click Ok. Then you will get a "Security Warning" pop-up. Click Yes.

One common reason that this warning shows up is using normal Google Analytics code on a secure page. It is a simple fix to enable Google Analytics on a page using SSL.

Originally posted on Sun Sep 9, 2007