Home » Download » Modules » Secure Pages » Issues

Advertisement module generates HTTP URL on secure pages

sszalla - May 11, 2008 - 12:11
Project:Secure Pages
Version:5.x-1.6
Component:Code
Category:support request
Priority:normal
Assigned:Unassigned
Status:active
Description

First I want to say thanks from a Drupal newbie for a great module.

I'm having one issue using Secure Pages with the Advertisement module. I'm using Javascript mode for image ads and the Javascript being generated for encrypted pages is:

document.write('\x3cdiv class=\"image-advertisement\" id=\"ad-3\"\x3e\x3ca href=\"http://www.cleanenergyconnect.com/ad/redirect/3/\" title=\"\" target=\"_blank\"\x3e\x3cimg src=\"http://www.cleanenergyconnect.com/system/files/leaderboard-728X90_v2.gif\" width=\"728\" height=\"90\" /\x3e\x3c/a\x3e\x3c/div\x3e');

The problem is that my users with IE are getting the "page contains secure and non-secure items" error because the image src refers to a unencrypted URL. Advertisement is using the file_create_url() function to generate this URL so I would have thought it would have HTTPS as the protocol on encrypted pages, but it obviously hasn't.

Can anyone tell me why (and how I might fix it)?

» Login or register to post comments

#1

pauldawg - May 22, 2008 - 20:45

My sense is that you can't necessarily fix this, per se, and that it is "as designed". Specifically, this is called out as a warning because your page it communicating with another site (your advertiser) in a non-encrypted form. So the user is warned (if you are using IE, but probably not if using Mozilla). To get rid of this, here are the options I can see:

  • You could try using HTTPS to access your ads, but most likely your advertiser is not going to support HTTPS for an Ad banner.
  • You could make sure that your Ads are not displayed on pages where your HTTPS protocol is used. In other words, you could have your site split into secure and non-secure areas, and only show ads in the non-secure areas (e.g. not while someone is editing their account). Then you would just need to use a module or some other method of redirecting the secure areas to enforce security for those URLs.
  • You could just grin and bear it, and ask your customers to do the same

Although to be honest, I am new to this as well so I could be missing something, but this is my current understanding.

Login or register to post comments

#2

pauldawg - May 22, 2008 - 20:48

You could also probably rig something up where you are actually caching your advertiser's pages on your server and still have the addresses point to your advertiser's site, but I would guess this might break some agreements between you and the advertiser.

Login or register to post comments

#3

sszalla - June 2, 2008 - 11:07

Thanks for your comments, but I probably wasn't explicit enough about what's happening.

The href and src URLS in the Javascript are referring to my site (www.cleanenergyconnect.com), so the ad image and redirect are available through HTTPS if necessary. The Advertisement module is using the file_create_url() function to generate these URLs.

The question is, if the page being generated is HTTPS, why is the file_create_url() function not returning a URL with HTTPS as the protocol instead of HTTP?

(Actually I've worked around the issue by selecting Raw mode instead of Javascript mode in the Advertisement module, but I'd still like to know why this is happening.)

Login or register to post comments

#4

pauldawg - June 2, 2008 - 16:21

Sorry I guess I misread the message. Sounds to me like this is a bug with the Advertisement module and you may want to submit this as a bug report in that project.

Login or register to post comments
 
 

Drupal is a registered trademark of Dries Buytaert.