This might be a very basic question to lots of you - but how does one build a web page that "potentially" has a link to a "normal/insecure" page, e.g., when a user has completed a checkout sequence, there is a normal link for the user to go back to the insecure home page - however, that makes the page insecure, i.e., without the lock. So once a user jump into a sequence of secure pages, how does he/she walks out of it without having the browser complained about "This page contains both secure and insecure items..."?
So how can we make the last secure page in the sequence able to go back out to the insecure world without making itself insecure (i.e., not all links are https)?
(guess i can buy something from amazon and look at their source but I was hoping that someone know this right away...)
As long as the page is loaded through HTTPS the lock should still be there, no matter whether the links on that page are HTTP or HTTPS. If an HTTP link is clicked the browser may show the dialog about leaving a secure page, but not the one about the page having insecure elements.
My experience is that the browser won't "endorse" a page with the lock if the page has regular http links(**) - at least for the latest browser that I am using - IE or firefox.
Does anyone know whether that's a new browser feature?
Hm...I wonder if it's actually the web server who (when returning the encrypted page) is the one to inspect the links and report that "partial secure" status back to the browser instead. I don't really know the full rules regarding this, e.g., if (**) is true, would there still be encryption carried out? (I suspect yes, since it's done at a lower network/socket layer, i think, regardless of the application content, our web page in this case.)
Any feedback is greatly appreciated!
Joined: Oct 10, 2003
btw, I am sure "embedding" the insecure links inside servlets or "ActionForward" of struts via html form or struts form would work. But I am wondering about the case for plain html or php (ouch...it's a java forum) code.
Actually, even that, would the browser complain about the leaving of secure area upon the form submission?
Joined: Mar 22, 2005
No, that's a browser-only thing. The server has no say in whether it's considered secure or not.
Joined: Oct 10, 2003
So to get back on the main question: With these newer browsers, How could we preserve the lock at the last secured page, before leaving the secure area then?