Well this bit me in the rear for a couple hours today. While doing some maintenance for Westlake Eletronic Supply their webmaster, Chris Bourdon, noticed that on all the HTTPS pages IE8 was giving that wonderfully redesigned (and tricky) security pop-up message informing the user that there are insecure items on the page and asks if you want to view the page without them (yes) or with them (no). We certainly didn’t want that popping up all the time but finding what it was couldn’t have been more difficult. A good addition to the developer tools (F12) would be to point out insecure ‘items’ in pages that should be secure. No no… that would have made things too easy, instead we scoured the HTML and JavaScript source and then pulled out fiddler, as any good webmaster or developer would do, to see if we could track down an actual image or file. No dice.

Needless to say, we’re really expecting to find a “src” attribute who’s value was pointing to a http: location or some javascript/ajax calling an insecure page. Nope and nope, apparently it was all due to one of my favorite scripts, sorttable, adding a javascript:void(0) to a generated script tag to defer script loads (and no, I’m not sure what that means as I’ve never had the need to perform such an insecure thing!). Although this could have been accomplished better in sorttable I have to leave it to IE to pull the “telling me there is a problem but not telling me what that problem is at all or telling me in a way that isn’t as helpful as other browsers that have been around not even half as many years were able to do in very early versions” joke on me. It’s a good one but overplayed almost as much as “I’m on a boat”. You win this time IE *shakes fist*!