Obscure Bugs Revisited: IE, HTTPS and Plugins
So, I had a fun little problem yesterday; a Flash SWF wasn't appearing on an HTTPS page on IE. It was fine on HTTP, and fine in other browsers, but HTTPS just wasn't doing it; the flash plugin was just showing the awesomely helpful "Movie not loaded" message. Cue much confusion, investigation.
Turns out that IE takes the caching headers on HTTPS requests a little too seriously. The following headers were set on the SWF:
Pragma: no-cache Cache-Control: no-cache
Why does this break it? Well, it's down to how IE and plugins work.
First, IE downloads your HTTPS page and finds the Flash plugin tag, and loads Flash. Flash then figures out which SWF it wants, and tells IE to download it, again, over HTTPS. IE downloads it, checks the header, thinks "Ooh, this is a secure file that shouldn't be cached - better get rid of this quickly" and promptly wipes it from its memory. It then tries to pass the file to Flash.
Spot a problem there? This doesn't just apply to Flash, but apparently any plugin that wants to get files over HTTPS, including PDFs and Office documents. Full details are on the Microsoft site, including the headers to avoid.
Say what you want about Microsoft, but that's some innovative software design right there. Nothing's breaking through that security measure.
The solution? Remove all no-cache headers. If you want to make sure it's still not stored between requests, you need to do it a different way:
Expires: Thu, 01 Dec 1994 16:00:00 GMT Cache-Control: private,pre-check=0,post-check=0
The theory being the Expires header catches HTTP 1.0 requests, and the Cache-Control should catch HTTP 1.1, with private being nearly as good as no-cache, in theory at least. Certainly seems to work, although with cache-busting nothing seems certain. If you can suggest any improvements, please leave a comment.
Obviously, the problem is that you're using flash :)
A fair comment! But sadly there isn't a real alternative for a lot of stuff I need to do. Thing that gets me about this issue though is that it doesn't work for any plugin, so that would include things like secure billing pdfs - I'd have thought the problem would crop up quite frequently. Quite how they missed that in their design and testing I don't know.