"NWdev" <dev@bcdiv.com> wrote in message
news:1170953544.276230.238520@j27g2000cwj.googlegroups.com...
> For some time I've been searching for a solution to what is likely a
> common customer request:
>
> In a 'mixed' website that contains content from other sites, don't
> trigger the SSL alerts going to/from https or when displaying the
> content from other sites.
>
> By 'mixed' I mean the site contains both http & https pages with a
> valid SSL cert for the domain.
>
> The external site content is from registered user postings to a
> classifieds listing. For example images they've cut and pasted from
> their corporate website or elsewhere. (Uploading the images doesn't
> appear to be an option in this case.)
>
> Since the site contains many pages that require https for sensitive
> customer information (registration, customer data), most of it is
> served via https.
>
> Given that, in order to avoid triggering the mixed secure/non-secure
> content alert the classifieds listing pages need to be served in http
> vs. https.
>
> So far I've tried a number of strategies, but have unfortunately been
> unsuccessful in avoiding triggering the http to https (you're going to
> a secure site...) or https to http (you're leaving a secure site)
> alerts.
>
> The site is in ASP (classic) and uses redirects heavily. In most cases
> there is querystring data - so server.transfer is less of an option
> and response.redirect is used (aside from the fact its serving up the
> same page via a different protocol vs a different page). So there are
> both clickable links and programmatic redirects to handle. (As well as
> very limited session data.)
>
> Here are some things I've tried but unfortunately still triggered the
> alerts:
> + https page https link --> https swap page that redirects to desired
> page in http
> + https page https link --> https desired page w/ Meta refresh to http
> + https page https link --> https desired page w/ Javascript
> window.location change to http
> + https page https link --> https desired page w/ ASP redirect to http
> + https page http link --> http desired page
> + https page https redirect --> https swap page redirecting to desired
> page in http
> + https page https redirect --> https desired page w/ ASP redirect to
> http
> + https page https redirect --> https desired page w/ Meta refresh to
> http
> + https page https redirect --> https desired page w/ Javascript
> window.location change to http
> + https page http redirect --> http desired page
> & similarly for going from http to https
>
> Perhaps someone has some suggestions and can point me in the right
> direction?
>
> Thanks!
> Bonnie
>

> I also need to be able to do this
> programmatically after running
> server side code (not just when a
> user clicks a link).

On Feb 28, 5:09 pm, "NWdev" <d...@bcdiv.com> wrote:
> Thanks for your response Roger.
>
> I understand that this is a browser initiated (client side) response,
> however I am not interested in disabling the response, but rather
> avoiding the trigger when a user navigates from https to http and vice
> versa.
>
> So, to re-state the question:
>
> What ASP (classic) or JavaScript coding makes it possible to move from
> http to https and https to http without triggering the client side
> browser alert?
>
> I need to be able to allow a user move to and from a secure page
> (https) to an insecure one (http) without the user's browser being
> triggered to display the SSL alert (you are moving to a secure page/
> you are moving from a secure page).
>
> What complicates this somewhat further is I also need to be able to do
> this programmatically after running server side code (not just when a
> user clicks a link).
>
> Hopefully someone can point me in the right direction. I've done a
> number of tests, however each has been unsuccessful in avoiding the
> trigger. I know sites do this, often moving to/from a secure login or
> form page (SSL, https) to non-secured pages (non-SSL, http) without
> triggering the alert. So it seems it is a matter of either sequence
> that I'm missing.
>
> Thanks for any assistance.
>
> Regards,
> Bonnie

On Mar 5, 1:59 pm, "NWdev" <d...@bcdiv.com> wrote:
> Thank you David for your response.
>
> So if I understand the suggested solutions correctly, one option is to
> fetch the cut & pasted images from the user's sites via https versus
> http. That could be done by swapping out any http links to https
> before storing the user's text input in the database. It seems though
> that there's something else I'm missing.
>
> What about sites which require sections to be http and other parts
> https?
>
> For example a site which has a section of pages which are publicly
> available (via http) and another section which are only available to
> registered (& logged in) users (via https).
>
> In my case, the site contains both of these types of sections and
> logged in users can navigate to the public pages as well as the non-
> public https pages. The customer wants them to be able to do this
> without seeing the standard https to http (or vice versa) alert.
>
> So the question is --
> What is required to allow a user to navigate from http to https (and
> vice versa) without receiving an alert?
>
> Regards,
> Bonnie