J
Juergen Ebert
Imagine a e-commerce site which handles payment through a
third-party-service. This is done by including an IFrame (payment) in
the shop application. Both the IFrame content and the shop are secured
by HTTPS but of course with different certificates. When the payment is
done the third-party-service sends some kind of redirect so a "Payment
was successful"-page from the shop is again shown in the browser as
IFrame content.
This is where the fun (!?) starts. When using IE6 with "friendly error
messages" activated the user will not see the "Payment was
successful"-page but the standard "The page cannot be displayed" error
page. However if the same user disables the "friendly error messages"
then no error will be shown but the "Payment was successful"-page will
be displayed whithout any indication of a problem.
With other words the error page will only be displayed if using
"friendly error messages" but everything will work ok if not.
Unfortunately not all users are affected, most users do not see any
error at all. Needless to say that users of other browsers also do not
see errors.
Interestingly the users who get the "The page cannot be displayed"
message will be asked before if they wish to display nonsecure items in
this otherwise secure page. I came to think that the error page itself
is the nonsecure item since it comes from the local filesystem (either
about: or res. Right?
To determine where the problem might be we put some debug output into
the "Payment was successful" page and this code is excuted for those
users who see the error page. So the redirect from the payment system
seems to work. Looking into the data sent seems to be difficult because
of the HTTPS protocol so we don't know where else to look.
Now I need to know if this is a known bug in IE. It also would be
helpful to know what triggers IE to display the "The page cannot be
displayed" error page. Only the http return code? Something else?
What else can we do determine the cause of this problem?
Regards,
Juergen Ebert
third-party-service. This is done by including an IFrame (payment) in
the shop application. Both the IFrame content and the shop are secured
by HTTPS but of course with different certificates. When the payment is
done the third-party-service sends some kind of redirect so a "Payment
was successful"-page from the shop is again shown in the browser as
IFrame content.
This is where the fun (!?) starts. When using IE6 with "friendly error
messages" activated the user will not see the "Payment was
successful"-page but the standard "The page cannot be displayed" error
page. However if the same user disables the "friendly error messages"
then no error will be shown but the "Payment was successful"-page will
be displayed whithout any indication of a problem.
With other words the error page will only be displayed if using
"friendly error messages" but everything will work ok if not.
Unfortunately not all users are affected, most users do not see any
error at all. Needless to say that users of other browsers also do not
see errors.
Interestingly the users who get the "The page cannot be displayed"
message will be asked before if they wish to display nonsecure items in
this otherwise secure page. I came to think that the error page itself
is the nonsecure item since it comes from the local filesystem (either
about: or res. Right?
To determine where the problem might be we put some debug output into
the "Payment was successful" page and this code is excuted for those
users who see the error page. So the redirect from the payment system
seems to work. Looking into the data sent seems to be difficult because
of the HTTPS protocol so we don't know where else to look.
Now I need to know if this is a known bug in IE. It also would be
helpful to know what triggers IE to display the "The page cannot be
displayed" error page. Only the http return code? Something else?
What else can we do determine the cause of this problem?
Regards,
Juergen Ebert