Win a copy of Re-engineering Legacy Software this week in the Refactoring forum
or Docker in Action in the Cloud/Virtualization forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

How to go from secure to insecure page without popup warning from browser?

 
joseph lam
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

This might be a very basic question to lots of you - but how does one build a web page that "potentially" has a link to a "normal/insecure" page, e.g., when a user has completed a checkout sequence, there is a normal link for the user to go back to the insecure home page - however, that makes the page insecure, i.e., without the lock. So once a user jump into a sequence of secure pages, how does he/she walks out of it without having the browser complained about "This page contains both secure and insecure items..."?

So how can we make the last secure page in the sequence able to go back out to the insecure world without making itself insecure (i.e., not all links are https)?

(guess i can buy something from amazon and look at their source but I was hoping that someone know this right away...)

Thanks!
 
joseph lam
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Would form action work?
 
Ulf Dittmer
Rancher
Pie
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
As long as the page is loaded through HTTPS the lock should still be there, no matter whether the links on that page are HTTP or HTTPS. If an HTTP link is clicked the browser may show the dialog about leaving a secure page, but not the one about the page having insecure elements.
 
joseph lam
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
My experience is that the browser won't "endorse" a page with the lock if the page has regular http links(**) - at least for the latest browser that I am using - IE or firefox.

Does anyone know whether that's a new browser feature?

Hm...I wonder if it's actually the web server who (when returning the encrypted page) is the one to inspect the links and report that "partial secure" status back to the browser instead. I don't really know the full rules regarding this, e.g., if (**) is true, would there still be encryption carried out? (I suspect yes, since it's done at a lower network/socket layer, i think, regardless of the application content, our web page in this case.)

Any feedback is greatly appreciated!
 
joseph lam
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
btw, I am sure "embedding" the insecure links inside servlets or "ActionForward" of struts via html form or struts form would work. But I am wondering about the case for plain html or php (ouch...it's a java forum) code.

Actually, even that, would the browser complain about the leaving of secure area upon the form submission?
 
Ulf Dittmer
Rancher
Pie
Posts: 42967
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
No, that's a browser-only thing. The server has no say in whether it's considered secure or not.
 
joseph lam
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
So to get back on the main question: With these newer browsers, How could we preserve the lock at the last secured page, before leaving the secure area then?
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic