IE9 with SockJS and HTTPS throws "SEC7111: HTTPS security is compromised by" [SPR-13386]

[spring-projects-issues]

Cecchinato Bastien opened SPR-13386 and commented

Hi !

I'm facing an issue with IE9 fallback for SockJS. When the page /htmlfile/?c= is loaded, IE9 throws the following error (in the console): SEC7111: HTTPS security is compromised.

My website is accessible only via HTTPS. After some digging, it seems that there is some mixed content, but I've been unable to find what content can be mixed.

The configuration class is the following :

@Slf4j
@Configuration
@EnableWebSocket
@EnableScheduling
public class WebSocketConfig implements WebSocketConfigurer {
    @Override
    public void registerWebSocketHandlers(WebSocketHandlerRegistry registry) {
        registry
                .addHandler(delegateSocketHandler(), "/mvc/socket", "/mvc/socket/**")
                .setAllowedOrigins("*")
                .withSockJS();
    }

    @Bean
    public WebSocketHandler delegateSocketHandler() {
        return new DelegateSocketHandler();
    }
}

I've also attached a network capture, if this can help.

Thanks in advance.

Regards,

---

Affects: 4.1.6

Attachments:

• network.xml (3.49 MB)
• websocket.png (82.31 kB)

[spring-projects-issues]

Rossen Stoyanchev commented

There must be some URL with http rather than https. What's the URL is the error for? A grep of the network file shows a few http URLs:

<url>http:///assets/vendor.css</url>
<url>http:///assets/afl.css</url>
<url>http:///assets/vendor.js</url>
<url>http:///assets/afl.js</url>
<url>http:///assets/vendor.js</url>
<url>http:///assets/afl.js</url>
<url>http:///assets/afl.js</url>

[spring-projects-issues]

Cecchinato Bastien commented

The URL for the error is https://ssl-afl-portail-web-rci2.aw.atos.net/mvc/socket/749/t5uczixa/htmlfile?c=_jp.a3fne4m. I'll try to modify some of the http:// resources to user https:// instead.

[spring-projects-issues]

Cecchinato Bastien commented

I've put every resources to force to https, but the issue is still there. Is the https://ssl-afl-portail-web-rci2.aw.atos.net/mvc/socket/749/t5uczixa/htmlfile?c=_jp.a3fne4m loading some insecure content ?

On IE9 console, the page is always pending (see attachement). I can't tell if it is normal or not.

[spring-projects-issues]

Brian Clozel commented

Not sure if that's relevant (I don't know if this is actually rendered by the browser), but some JSON content contains an iframe with an http source. If you're actually rendering that content in your page, then that could be the source of the problem.
Given the nature of that transport, I think it's normal to see the page in pending status.

[spring-projects-issues]

Cecchinato Bastien commented

We are using ember (not sure if it is relevant too) with ember-cli-sockjs that is a wrapper around sockjs client.

[spring-projects-issues]

Cecchinato Bastien commented

I haven't be able to find a way to make it. I think that we will go for longpolling instead.

You can close this issue.