Opened 9 years ago

Closed 9 years ago

#1920 closed Bug (fixed)

Warning messages upon opening some dialogs in IE under HTTPS

Reported by: Martin Kou Owned by: Martin Kou
Priority: Normal Milestone: FCKeditor 2.6
Component: UI : Dialogs Version: SVN (FCKeditor) - Retired
Keywords: Confirmed IE Review+ Cc:

Description

Reproduction procedure:

  1. Open sample01.html in IE6 or 7 under HTTPS and domain relaxation mode.
  2. Open the image dialog, or the flash dialog, or the image button dialog.
  3. Warning message about unsafe contents.

Attachments (2)

1920.patch (3.0 KB) - added by Martin Kou 9 years ago.
1920_2.patch (2.9 KB) - added by Martin Kou 9 years ago.

Download all attachments as: .zip

Change History (12)

comment:1 Changed 9 years ago by Martin Kou

Component: GeneralUI : Dialogs

comment:2 Changed 9 years ago by Wojciech Olchawa

Cc: Confirmed IE removed
Keywords: Confirmed IE added

Just moved the keywords to "Keywords Filed"

comment:3 Changed 9 years ago by Martin Kou

Owner: set to Martin Kou
Status: newassigned

Thanks ;)

Sometimes I'm just too sleepy filling those fields.

comment:4 Changed 9 years ago by Martin Kou

Summary: Warning messages upon opening some dialogs in IE under HTTPS and domain relaxation modeWarning messages upon opening some dialogs in IE under HTTPS

Domain relaxation is not needed, the bug can be reproduced without domain relaxation. Simply HTTPS would trigger the bug.

Changed 9 years ago by Martin Kou

Attachment: 1920.patch added

comment:5 Changed 9 years ago by Martin Kou

Keywords: Review? added

comment:6 Changed 9 years ago by Frederico Caldeira Knabben

Keywords: Review- added; Review? removed

I'm not able to reproduce this problem with the Flash dialog (with or without domain relaxation). It seems related to the Image dialog exclusively, due to the <img src="javascript:void(0)">

Applying the proposed fix to the image removes the warning, but it's a regression to a previous problem. The browser makes a request for the image to "editor/dialog/fck_image/".

I have the impression that removing the "src" attribute completely from the source would fix it properly, but it has to be well tested across all browsers to be sure nothing get broken.

comment:7 Changed 9 years ago by Martin Kou

The warning in the Flash dialog appears in IE6 only (even for the IE6 in Multiple IE), it doesn't appear in IE7.

comment:8 Changed 9 years ago by Martin Kou

Keywords: Review? added; Review- removed

Confirmed deleting the "src" attribute eliminates the security warning on both IE6 and IE7.

The fix for the iframe in the Flash dialog is still needed though, as the original iframe code (even without a src attribute) triggers security warning in IE6.

I'm proposing a new patch with the fixed <img> tag.

Changed 9 years ago by Martin Kou

Attachment: 1920_2.patch added

comment:9 Changed 9 years ago by Frederico Caldeira Knabben

Keywords: Review+ added; Review? removed

comment:10 Changed 9 years ago by Martin Kou

Resolution: fixed
Status: assignedclosed

Fixed with [1689].

Click here for more info about our SVN system.

Note: See TracTickets for help on using tickets.
© 2003 – 2017 CKSource – Frederico Knabben. All rights reserved. | Terms of use | Privacy policy