IE9 HTTPS security is compromised by my Greasemonkey script?

Question

I’ve got a Greasemonkey-for-IE script in IE9 that’s importing jQuery. But on secure pages it doesn’t work.

I’m getting:

SEC7111: HTTPS security is compromised by http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js

The code that fails is:

var script = document.createElement("script");
script.setAttribute("src", 
    "http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js");

How can I make this work? The script doesn’t cause a problem in Firefox.

Answer 1

Presumably: Use https://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js instead (or not trust a third party CDN (to be both trustworthy and not compromised) for your secure pages)

Answer 2

You can eliminate the issue with simpler code by using a scheme-relative URL like this:

var script = document.createElement("script");
script.setAttribute("src", 
   "//ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js");

This will use http:// on an http:// page and https:// on an https:// page...a much simpler way to solve the issue.

Answer 3

The error message is IE's new way of warning about mixed content (HTTP and HTTPS resources on a secure page). Here is a related MSDN blog post.

Using

https://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.js

seems to work as well, although I can't see a official reference to it in the Libraries API overview.

Answer 4

The problem is that when you're in secure mode (ie HTTPS), all the files loaded by the page must also be HTTPS. The JQuery include you're making here is HTTP.

You need to detect whether the page is in HTTP or HTTPS mode (use window.location.protocol()), and adjust the URL of the JQuery include to suit. (all it needs is the additional 's' after 'http')

Answer 5

you are using https connection and you want to access a http connection.