This week's book giveaway is in the Java in General forum.
We're giving away four copies of Helidon Revealed: A Practical Guide to Oracle’s Microservices Framework and have Michael Redlich on-line!
See this thread for details.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Tim Cooke
  • paul wheaton
  • Liutauras Vilda
  • Ron McLeod
Sheriffs:
  • Jeanne Boyarsky
  • Devaka Cooray
  • Paul Clapham
Saloon Keepers:
  • Scott Selikoff
  • Tim Holloway
  • Piet Souris
  • Mikalai Zaikin
  • Frits Walraven
Bartenders:
  • Stephan van Hulst
  • Carey Brown

How to go from secure to insecure page without popup warning from browser?

 
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

This might be a very basic question to lots of you - but how does one build a web page that "potentially" has a link to a "normal/insecure" page, e.g., when a user has completed a checkout sequence, there is a normal link for the user to go back to the insecure home page - however, that makes the page insecure, i.e., without the lock. So once a user jump into a sequence of secure pages, how does he/she walks out of it without having the browser complained about "This page contains both secure and insecure items..."?

So how can we make the last secure page in the sequence able to go back out to the insecure world without making itself insecure (i.e., not all links are https)?

(guess i can buy something from amazon and look at their source but I was hoping that someone know this right away...)

Thanks!
 
joseph lam
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Would form action work?
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
As long as the page is loaded through HTTPS the lock should still be there, no matter whether the links on that page are HTTP or HTTPS. If an HTTP link is clicked the browser may show the dialog about leaving a secure page, but not the one about the page having insecure elements.
 
joseph lam
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
My experience is that the browser won't "endorse" a page with the lock if the page has regular http links(**) - at least for the latest browser that I am using - IE or firefox.

Does anyone know whether that's a new browser feature?

Hm...I wonder if it's actually the web server who (when returning the encrypted page) is the one to inspect the links and report that "partial secure" status back to the browser instead. I don't really know the full rules regarding this, e.g., if (**) is true, would there still be encryption carried out? (I suspect yes, since it's done at a lower network/socket layer, i think, regardless of the application content, our web page in this case.)

Any feedback is greatly appreciated!
 
joseph lam
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
btw, I am sure "embedding" the insecure links inside servlets or "ActionForward" of struts via html form or struts form would work. But I am wondering about the case for plain html or php (ouch...it's a java forum) code.

Actually, even that, would the browser complain about the leaving of secure area upon the form submission?
 
Ulf Dittmer
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
No, that's a browser-only thing. The server has no say in whether it's considered secure or not.
 
joseph lam
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
So to get back on the main question: With these newer browsers, How could we preserve the lock at the last secured page, before leaving the secure area then?
 
Politics n. Poly "many" + ticks "blood sucking insects". Tiny ad:
Gift giving made easy with the permaculture playing cards
https://coderanch.com/t/777758/Gift-giving-easy-permaculture-playing
reply
    Bookmark Topic Watch Topic
  • New Topic