Menu

#18 AnalyticsForPlone, SSL & IE7 mixed content alert

closed
Emmanuel Coirier
None
5
2007-11-26
2007-11-22
jrjsmrtn
No

Using AnalyticsForPlone 1.1 on a SSL-only Plone site causes Internet Explorer 7 to display a "Mixed content" security. alert. on. *every*. page. loaded. from. the. site.

Very. annoying. :-/

IE7 has a security feature that warns the user when a secure page contains non-secure content[1]. And that security warning is not easy to disable...

For SSL sites, Google Analytics offers an alternative script snippet[2] to insert into tracked pages, that loads the urchin library from a secure site. That way, all page content is secure.

Unfortunately, the AnalyticsForPlone product has a hardcoded script snippet[3] that always loads the library from the non-secure Google site. And this results in mixed-content pages. And. the. annoying. warning...

Regards,

Georges Martin

--
[1] search for "mixed content" in "HTTPS Security Improvements in Internet Explorer 7":

<http://msdn2.microsoft.com/en-us/library/bb250503.aspx>

[2] "I'm having trouble creating a profile for my secure website." in Google Analytics Help Center:

<http://www.google.com/support/googleanalytics/bin/answer.py?answer=55552&topic=10983>

[3] at line 2 of analytics.js.dtml:

<https://svn.plone.org/svn/collective/AnalyticsForPlone/trunk/skins/analyticsforplone/analytics.js.dtml>

Discussion

  • Emmanuel Coirier

    Emmanuel Coirier - 2007-11-26

    Logged In: YES
    user_id=585084
    Originator: NO

    A new field "Google URL" has been added in the property sheet of the analytics for plone tool in ZMI. this parameter is not available thru the plone configuration panel. It should solve your problem.

     

  • Emmanuel Coirier

    Emmanuel Coirier - 2007-11-26
    • labels: 685123 -->
    • milestone: 605666 -->
    • assigned_to: pjgrizel --> manuco
    • status: open --> closed-fixed
     

  • jrjsmrtn

    jrjsmrtn - 2007-11-26
    • status: closed-fixed --> closed
     

  • jrjsmrtn

    jrjsmrtn - 2007-11-26

    Logged In: YES
    user_id=1793398
    Originator: YES

    Thanks for the patch.

    I was wondering anyway, wouldn't it be interesting to link to the secure google script when in a secure page, and to the non-secure google script when in a non-secure page ?

    As in:

    if (location.protocol == 'https:')
    {
    document.write('<script src="&dtml-google_ssl_url;" type="text/JavaScript"><\/script>');
    }
    else
    {
    document.write('<script src="&dtml-google_url;" type="text/JavaScript"><\/script>');
    }

    That way, "mixed" Plone sites, with SSL and non-SSL pages, would work without modifications.

    Your opinion ?

    Regards,

    Georges Martin

     

  • Emmanuel Coirier

    Emmanuel Coirier - 2007-12-04

    Logged In: YES
    user_id=585084
    Originator: NO

    Seems to be a good idea. I have no time to test that your patch is working. I commit it to the trunk, and I hope you'll test it. Your feedback is welcome on this point.

     

Log in to post a comment.