Our service runs over HTTPS and we're currently experimenting with running a compiled GWT-application within it, only client side, no RPC:s.

It is included within an IFRAME, which seems to be recommended (here for example: http://developerlife.com/tutorials/?p=231 under the heading HTTPS and HTTP).

When doing certain operations within the GWT-app, IE it generates an insecure item warning.

http://bagonca.com/insecure_item.png

You may ask yourself why I don't use some nifty Firefox plugin to see what request might be over http. Or why I don't use HTTPWatch in Internet Explorer for the same reason. I have. There are no insecure requests that I can find, anywhere.

What I have read about on the other hand is that Internet Explorer throws this warning for iframes without the src attribute set. And that a potential fix is using src="javascript:false" for any iframe that is populated dynamically.

As I've said, the whole app is included via an IFRAME, and within it GWT itself generates a hidden IFRAME that looks like below.

<iframe tabIndex="-1" id="gwt-app" src="javascript:''" style="border-bottom: medium none; position: absolute; border-left: medium none; width: 0px; height: 0px; border-top: medium none; border-right: medium none;">

I've tried hard coding the src attribute above to a blank page that actually exists and is called with HTTPS on the same domain. I've tried the javascript:false; approach. No luck. The app works like a charm, but IE throws the useless, and false warning.

The warning turns up when I do certain actions within the app, not when it is loaded. Actually when dragging and dropping appointments within the http://code.google.com/p/gwt-calendar/ component.

Has anyone tangled with a similar issue before? Any clues?

There other snippets of Javascript that can also cause a problem. Please see:

http://blog.httpwatch.com/2009/09/17/even-more-problems-with-the-ie-8-mixed-content-warning/

Also, have a look through the pile of comments on:

http://blog.httpwatch.com/2009/04/23/fixing-the-ie-8-warning-do-you-want-to-view-only-the-webpage-content-that-was-delivered-securely/

Some of the commenters have found and fixed other causes of the warning too.

Any clues?

I'm not sure in this case, but I did some experiments with iframes (on a somewhat similar topic) about a year ago. I would assume, that gwt-calendar tries to communicate with the host page via javascipt's parent reference. AFAIR, that's not allowed, when the host page isn't loaded from the same origin (including protocol).

This can happen if you have your app running over HTTPS and are fetching images or some other resource over over plain HTTP. Check if you have image or css paths hardcoded to http://.

For example, if your app if running at https://example.com and you wish to load an image foo.jpg , the html you should be using is:

<img src="https://example.com/images/foo.jpg"/>

or (ideally)

<img src="images/foo.jpg"/>

and not

<img src="http://example.com/images/foo.jpg"/>

Note that the third example fetches the foo.jpg image over http instead of https. Hence it would cause the issue which you are facing.

To avoid such problems, the best practice is either to use ImageResources and relative URLs.