This is from my friend, Chris Weekly.
I think it is necessary for us to be precise when we talk about “security popups” as there are many different kinds.
Some of these are always preventable, some are unavoidable in certain scenarios, all vary according to the browser version and its user config.
Anyway here’s a kickstart:
- SSL Certificate Warnings (various) – Triggered on HTTPS URL’s on domains with an expired or self-signed certificate.
- Insecure Content Warnings – Triggered on HTTPS URL’s when the page contents embed references to HTTP resources (images, iFrames, stylesheets or scripts).
This is preventable by proper JSP/taglib usage. Note it is ok for links to use http:// even in https:// pages as they’re not automatically followed.
- HTTPS to HTTP Redirection Warnings – Triggered when an HTTPS request triggers a redirect to an HTTP URL.
This is unavoidable in some scenarios but should be avoided by design whenever possible.
- HTTP/HTTPS Switch Alert – Triggered when simply navigating from HTTP to HTTPS or back.
This is out of our control, but most browsers don’t have this on by default, and users tend to turn this global setting off after seeing it once or twice (on any site) as it’s so common and harmless.
- Content not under this site’s control (New) – Apparently resulting from the recent Microsoft security patch.
I believe this is triggered by scripts which are not on the same domain as the page requested.
This is most likely to arise w/ 3rd-party tracking pixel-related scripts. Needs more investigation.
There are others but I think these are the main ones we’ve been dealing with lately.