Hey guys. My javascript/web chops aren't what they used to be, and I have an issue here I have not been able to puzzle out.
We've got a very simple Angular page running over https (terminated by haproxy as load balancer, running on ec2). Today a third-party content site began running a campaign involving a paid post that includes links to our page. When we click through those links some percentage of the time we will see an alert from FF, or a console message from IE, indicating that our page contains insecure content.
Here is an image of the network trace we see when this happens:
I highlighted the problem requests in yellow. Here is an image of the console warning in IE when this happens:
The only 3rd party scripts we have running are google analytics and some angular libraries. We selectively removed those scripts this afternoon and didn't see any change in the behavior. We're certain these requests are not being issued by anything in our scripts or markup. This is bolstered by the fact that Chrome and Opera do not show the requests I highlighted in yellow above, nor do they complain that our page has mixed content. Only FF and IE react this way.
As a point of comparison here are the images above showing what happens when we navigate directly to our page:
About the only other thing I can add is that the 3rd party is using Doubleclick for Publishers as their ad server. My theory is that something about the way they are loading our page is confusing IE and FF into thinking these requests are coming from us, when they are likely coming from an iframe on the 3rd part site into which our page is being loaded. But that's just a theory and as things stand I really don't know what's going on.
Anyone seen this before, or have any ideas?
We've got a very simple Angular page running over https (terminated by haproxy as load balancer, running on ec2). Today a third-party content site began running a campaign involving a paid post that includes links to our page. When we click through those links some percentage of the time we will see an alert from FF, or a console message from IE, indicating that our page contains insecure content.
Here is an image of the network trace we see when this happens:
I highlighted the problem requests in yellow. Here is an image of the console warning in IE when this happens:
The only 3rd party scripts we have running are google analytics and some angular libraries. We selectively removed those scripts this afternoon and didn't see any change in the behavior. We're certain these requests are not being issued by anything in our scripts or markup. This is bolstered by the fact that Chrome and Opera do not show the requests I highlighted in yellow above, nor do they complain that our page has mixed content. Only FF and IE react this way.
As a point of comparison here are the images above showing what happens when we navigate directly to our page:
About the only other thing I can add is that the 3rd party is using Doubleclick for Publishers as their ad server. My theory is that something about the way they are loading our page is confusing IE and FF into thinking these requests are coming from us, when they are likely coming from an iframe on the 3rd part site into which our page is being loaded. But that's just a theory and as things stand I really don't know what's going on.
Anyone seen this before, or have any ideas?
.
Facebook
Twitter