I've searched this forum and the web for an answer to my problem, but haven't quite found the answer. My corporate site is using Asp .Net 3.5, AJAX and SSL to secure certain pages. The problem is that IE8 throws a message about unsecure content while IE7
and Firefox do not. I know this issue has been discussed ad nauseum (remember, I've done a lot of research), however, I have specifically isolated the issue down to adding the <scriptmanager> control on an AJAX page requiring SSL.
With nothing else on the page (e.g. no images or script references), just a simple .aspx page, add <scriptmanager> and IE8 will display the message and IE7 and FF will not. Based on my reasearch, the issue is most likely related to the scriptresource and
webresource handlers, however, I don't know enough about the inner workings to do any good.
Here's what I tried...
Manually set the scriptpath property of scriptmanager to specify where to find the AJAX scripts. The scriptmanager uses the system.web.extensions assembly (which packages all the AJAX js), so I manually downloaded the library from ajax.asp.net site, copied
the js files to a scripts directory and made reference in the scriptmanager directly. Using Fiddler2, I could see that the references now appear to be SSL, and I know it was working because no Sys undefined messages. So after reviewing the html output, setting the
scriptpath replaces the 2 scriptresource.axd references, but does not replace the webresource.axd reference... I also found this thread
http://forums.asp.net/t/1417440.aspx where the Asp.Net site was having the exact same IE8 issue in their secure profile pages. They narrowed it down to the webresource.axd and apparently fixed it per Terri's
post, but no idea what they did.
So that's where I am. I sent a message to Terri (the engineer who said they fixed their issue), but no word back. I'm sure other developers have run across this same problem, so hopefully someone can help.
I think ASP.NET AJAX / AjaxControlToolkit doesn't support this new browser so far, because the JavaScript engine of each browser is different so that the new JavaScript engine isn't accepted by AjaxControlToolkit.
Use Firebug tool to actual see the contents that are rendered through IE 8
Chetan Sarode
Senior Software Engineer,
Approva Systems Pvt Ltd, Pune, India.
Thanks chetan. I guess I would argue that regardless of IE8's status, the browser is widely available for download and available on Windows Update. As a developer I know it's impossible to release a perfect application, but with SSL being such an important
issue, this one caught me off guard. I'm still searching for a fix, so hopefully one is out there!
With a bit more research and development, I managed to solve the problem. I ended up writing a custom httpmodule that intercepts all requests with .axd extensions (e.g. webresource.axd and scriptresource.axd) and forces a redirect to https. It really isn't
that complicated, so I'm posting my code below in the hopes that it might help someone else. An httpmodule is essentially like your global.asax file but more portable. This solution resolved my issue with IE8 and mixed content security messages.
Basic assumptions with my site:
1. All .aspx pages in the "secure" folder are the only ones I'm worried about protecting with SSL.
2. The "secure" folder will only be protected if I set an "SSL" flag in the app settings of my web.config. Helpful for dev environment.
3. I'm only worried about .axd extensions in addition to pages in the "secure" folder.
4. One could easily expand on this code to make extensions configurable via web.config etc
Here are the steps:
Step 1: Create a new class library called "URLrewrite".
Step 2: Add the following code and modify for your own purposes...
public class URLrewrite : IHttpModule
{
//Examples of httpmodule...
//http://msdn.microsoft.com/en-us/library/ms228090.aspx
//http://support.microsoft.com/kb/307996
public void Init(HttpApplication app)
{
app.BeginRequest += new EventHandler(OnBeginRequest);
}
public void Dispose() { }
public void OnBeginRequest(Object s, EventArgs e)
{
HttpApplication app = s as HttpApplication;
try
{
String URI = app.Request.Url.AbsoluteUri;
bool securePath = false;
bool securePathQuery = false;
bool axd = false;
if(app.Request.Path != null)
{
securePath = app.Request.Path.ToLower().Contains("/secure");
axd = app.Request.Path.ToLower().Contains(".axd");
}
if (app.Request.UrlReferrer != null)
{
securePathQuery = app.Request.UrlReferrer.PathAndQuery.Contains("/secure");
}
string bType = System.Configuration.ConfigurationManager.AppSettings["ConnectionType"].ToString();
if ( (securePath) || ((securePathQuery) && (axd)) )
{
if ((bType == "SSL") && (URI.ToLower().StartsWith("http://")))
{
string redirectURL = URI.Replace("http://", "https://");
app.Response.Redirect(redirectURL);
app.Response.End();
}
}
else if (URI.ToLower().StartsWith("https://"))
{
//User requested a page that does not need SSL.
string redirectURL = URI.Replace("https://", "http://");
app.Response.Redirect(redirectURL);
app.Response.End();
}
}
catch (Exception ex)
{
app.Response.Write(ex.Message);
app.Response.End();
}
}
}
Step 3: Add the following line to your web.config. I originally created an ajax web application project (3.5 framework using VS 2008), so MyAssemblyName is the name of the .dll generated when I compile the site.
Sorry Corey, I don't have a VB version atm; however you can check the below link. It's the VB version of what I created minus the custom code I wrote in the "begin request" section. Perhaps the link above can help u convert the custom code and if you run
in to any issues I'd be glad to take a look. For C# developers, see my comments in the code above for same template in C#.
I took Steven's code and watered it down even further. We have a very big site and only a handful of pages need HTTPS, so I created a short list of files I cared about. I then took this all and stuck it right into the global.asax file in the Application_BeginRequest
Event. Code looks like this:
Sub Application_BeginRequest(ByVal sender As Object, ByVal e As EventArgs)
' Fires at the beginning of each request
Dim app As HttpApplication = TryCast(sender, HttpApplication)
Try
Dim URI As [String] = app.Request.Url.AbsoluteUri
Dim securePage As Boolean = False
Dim axd As Boolean = False
If app.Request.Path IsNot Nothing Then
If app.Request.Path.ToLower().Contains("account/login.aspx") Or app.Request.Path.ToLower().Contains("account/accountdetails.aspx") Or app.Request.Path.ToLower().Contains("cart/cartshipbillinfo.aspx") Or (any other files you want...)Then
securePage = True
End If
axd = app.Request.Path.ToLower().Contains(".axd")
End If
If (securePage) AndAlso (axd) Then
If (URI.ToLower().StartsWith("http://")) Then
Dim redirectURL As String = URI.Replace("http://", "https://")
app.Response.Redirect(redirectURL)
app.Response.[End]()
End If
End If
Catch ex As Exception
app.Response.Write(ex.Message)
app.Response.[End]()
End Try
End Sub
Hope this helps. It doesn't do quite as much, but it worked to solve our problem.
Doesn't the browser determine that there is mixed content and display the warning message before it sends the http request? Doesn't the browser wait for the user to click 'No' before it actually sends the http request for the mixed content?
The HttpModule is invoked after the browser sends the request and the request is received by your web server.
It would be great if someone could explain this further!
sclark451
0 Points
5 Posts
IE8, AJAX and SSL - Solution to mixed content security warning!
Oct 05, 2009 03:51 PM|LINK
Hi everyone,
I've searched this forum and the web for an answer to my problem, but haven't quite found the answer. My corporate site is using Asp .Net 3.5, AJAX and SSL to secure certain pages. The problem is that IE8 throws a message about unsecure content while IE7 and Firefox do not. I know this issue has been discussed ad nauseum (remember, I've done a lot of research), however, I have specifically isolated the issue down to adding the <scriptmanager> control on an AJAX page requiring SSL.
With nothing else on the page (e.g. no images or script references), just a simple .aspx page, add <scriptmanager> and IE8 will display the message and IE7 and FF will not. Based on my reasearch, the issue is most likely related to the scriptresource and webresource handlers, however, I don't know enough about the inner workings to do any good.
Here's what I tried...
Manually set the scriptpath property of scriptmanager to specify where to find the AJAX scripts. The scriptmanager uses the system.web.extensions assembly (which packages all the AJAX js), so I manually downloaded the library from ajax.asp.net site, copied the js files to a scripts directory and made reference in the scriptmanager directly. Using Fiddler2, I could see that the references now appear to be SSL, and I know it was working because no Sys undefined messages. So after reviewing the html output, setting the scriptpath replaces the 2 scriptresource.axd references, but does not replace the webresource.axd reference... I also found this thread http://forums.asp.net/t/1417440.aspx where the Asp.Net site was having the exact same IE8 issue in their secure profile pages. They narrowed it down to the webresource.axd and apparently fixed it per Terri's post, but no idea what they did.
So that's where I am. I sent a message to Terri (the engineer who said they fixed their issue), but no word back. I'm sure other developers have run across this same problem, so hopefully someone can help.
Thanks!
-Steven
ajax .NET 3.5 ScriptResource.axd IE 8 SSL webresource.axd
chetan.sarod...
All-Star
66629 Points
11270 Posts
Re: Issue with IE8, AJAX and SSL
Oct 06, 2009 03:20 AM|LINK
I think IE8 is in not still final stage.
I think ASP.NET AJAX / AjaxControlToolkit doesn't support this new browser so far, because the JavaScript engine of each browser is different so that the new JavaScript engine isn't accepted by AjaxControlToolkit.
Use Firebug tool to actual see the contents that are rendered through IE 8
Senior Software Engineer,
Approva Systems Pvt Ltd, Pune, India.
sclark451
0 Points
5 Posts
Re: Issue with IE8, AJAX and SSL
Oct 06, 2009 04:52 AM|LINK
Thanks chetan. I guess I would argue that regardless of IE8's status, the browser is widely available for download and available on Windows Update. As a developer I know it's impossible to release a perfect application, but with SSL being such an important issue, this one caught me off guard. I'm still searching for a fix, so hopefully one is out there!
sclark451
0 Points
5 Posts
Re: Issue with IE8, AJAX and SSL
Oct 07, 2009 05:51 AM|LINK
With a bit more research and development, I managed to solve the problem. I ended up writing a custom httpmodule that intercepts all requests with .axd extensions (e.g. webresource.axd and scriptresource.axd) and forces a redirect to https. It really isn't that complicated, so I'm posting my code below in the hopes that it might help someone else. An httpmodule is essentially like your global.asax file but more portable. This solution resolved my issue with IE8 and mixed content security messages.
Basic assumptions with my site:
1. All .aspx pages in the "secure" folder are the only ones I'm worried about protecting with SSL.
2. The "secure" folder will only be protected if I set an "SSL" flag in the app settings of my web.config. Helpful for dev environment.
3. I'm only worried about .axd extensions in addition to pages in the "secure" folder.
4. One could easily expand on this code to make extensions configurable via web.config etc
Here are the steps:
Step 1: Create a new class library called "URLrewrite".
Step 2: Add the following code and modify for your own purposes...
public class URLrewrite : IHttpModule { //Examples of httpmodule... //http://msdn.microsoft.com/en-us/library/ms228090.aspx //http://support.microsoft.com/kb/307996 public void Init(HttpApplication app) { app.BeginRequest += new EventHandler(OnBeginRequest); } public void Dispose() { } public void OnBeginRequest(Object s, EventArgs e) { HttpApplication app = s as HttpApplication; try { String URI = app.Request.Url.AbsoluteUri; bool securePath = false; bool securePathQuery = false; bool axd = false; if(app.Request.Path != null) { securePath = app.Request.Path.ToLower().Contains("/secure"); axd = app.Request.Path.ToLower().Contains(".axd"); } if (app.Request.UrlReferrer != null) { securePathQuery = app.Request.UrlReferrer.PathAndQuery.Contains("/secure"); } string bType = System.Configuration.ConfigurationManager.AppSettings["ConnectionType"].ToString(); if ( (securePath) || ((securePathQuery) && (axd)) ) { if ((bType == "SSL") && (URI.ToLower().StartsWith("http://"))) { string redirectURL = URI.Replace("http://", "https://"); app.Response.Redirect(redirectURL); app.Response.End(); } } else if (URI.ToLower().StartsWith("https://")) { //User requested a page that does not need SSL. string redirectURL = URI.Replace("https://", "http://"); app.Response.Redirect(redirectURL); app.Response.End(); } } catch (Exception ex) { app.Response.Write(ex.Message); app.Response.End(); } } }Step 3: Add the following line to your web.config. I originally created an ajax web application project (3.5 framework using VS 2008), so MyAssemblyName is the name of the .dll generated when I compile the site.
<httpModules> <add name="URLrewrite" type="MyNamespace.URLrewrite, MyAssemblyName" /> </httpModules>Step 4: Deploy your app and enjoy the silence of IE8!!!
If anyone needs any help, feel free to post below and I'll see what I can do.
ajax ScriptResource.axd SSL webresource.axd IE8
Corey10e
Member
9 Points
4 Posts
Re: IE8, AJAX and SSL - Solution to mixed content security warning!
Nov 21, 2009 05:46 PM|LINK
Any chance of a VB version of this?
alaa9jo
Star
11375 Points
2036 Posts
Re: IE8, AJAX and SSL - Solution to mixed content security warning!
Nov 21, 2009 05:55 PM|LINK
You can convert the code using this link:
http://www.developerfusion.com/tools/convert/csharp-to-vb/
Ala'a Alnajjar
----------------------------------------------------
My Webblog
sclark451
0 Points
5 Posts
Re: IE8, AJAX and SSL - Solution to mixed content security warning!
Nov 24, 2009 10:17 PM|LINK
Sorry Corey, I don't have a VB version atm; however you can check the below link. It's the VB version of what I created minus the custom code I wrote in the "begin request" section. Perhaps the link above can help u convert the custom code and if you run in to any issues I'd be glad to take a look. For C# developers, see my comments in the code above for same template in C#.
http://support.microsoft.com/kb/308000
floorcookie
Member
61 Points
14 Posts
Re: IE8, AJAX and SSL - Solution to mixed content security warning!
Nov 25, 2009 12:55 AM|LINK
I took Steven's code and watered it down even further. We have a very big site and only a handful of pages need HTTPS, so I created a short list of files I cared about. I then took this all and stuck it right into the global.asax file in the Application_BeginRequest Event. Code looks like this:
Sub Application_BeginRequest(ByVal sender As Object, ByVal e As EventArgs) ' Fires at the beginning of each request Dim app As HttpApplication = TryCast(sender, HttpApplication) Try Dim URI As [String] = app.Request.Url.AbsoluteUri Dim securePage As Boolean = False Dim axd As Boolean = False If app.Request.Path IsNot Nothing Then If app.Request.Path.ToLower().Contains("account/login.aspx") Or app.Request.Path.ToLower().Contains("account/accountdetails.aspx") Or app.Request.Path.ToLower().Contains("cart/cartshipbillinfo.aspx") Or (any other files you want...)Then securePage = True End If axd = app.Request.Path.ToLower().Contains(".axd") End If If (securePage) AndAlso (axd) Then If (URI.ToLower().StartsWith("http://")) Then Dim redirectURL As String = URI.Replace("http://", "https://") app.Response.Redirect(redirectURL) app.Response.[End]() End If End If Catch ex As Exception app.Response.Write(ex.Message) app.Response.[End]() End Try End SubHope this helps. It doesn't do quite as much, but it worked to solve our problem.
-- Mike
baharango
Member
3 Points
6 Posts
Re: Issue with IE8, AJAX and SSL
Apr 15, 2010 04:01 PM|LINK
Sorry but this code is giving me the following error :
Object reference not set to an instance of an object.
What could be the solution to that error ??? and i really don't know what could be the cause of the error
linkedcircle...
Member
2 Points
1 Post
Re: Issue with IE8, AJAX and SSL
Apr 29, 2010 01:57 AM|LINK
This does not seem like it would work.
Doesn't the browser determine that there is mixed content and display the warning message before it sends the http request? Doesn't the browser wait for the user to click 'No' before it actually sends the http request for the mixed content?
The HttpModule is invoked after the browser sends the request and the request is received by your web server.
It would be great if someone could explain this further!