Last post Aug 21, 2017 09:11 AM by Edward Z
Aug 18, 2017 11:25 AM|Anindita.Basak|LINK
Our asp.net MVC website is hosted over https & secured with valid certificate from CA. It's trying to access the WCF service over http, but it's throwing the issue as :
Mixed Content: The page at 'https://localhost/...' was loaded over HTTPS, but requested an insecure script 'http://x.x.x.x.9999/signalr/hubs'. This request has been blocked; the content must be served over HTTPS.
We've used absolute URI for WCF service & client endpoint base addresses.
Any pointers will be appreciated.
Aug 18, 2017 12:01 PM|PatriceSc|LINK
And you are using SignalR as well? Use F12 to see from where this query comes from but for now it seems you (or something else ?) are using a signalr connection using http rather than https.
Just in case see
https://docs.microsoft.com/en-us/aspnet/signalr/overview/getting-started/introduction-to-signalr to see what is SignalR.
Aug 19, 2017 01:38 PM|Anindita.Basak|LINK
We could bypass the mixed content browser warning while connecting through WCF app services with http:// uri(unsecure) called from secure https:// website by forcing the browser to load unsafe scripts from client side & on doing that, immediately we can
see 'Not Secure' warning with red icon on browser, though SignalR hub is getting started & working.
Our requirement : is there any way from application side(programmatically) to automatically force the browser to load the unsafe script from http:// url(what have to do manually now).
Aug 19, 2017 04:17 PM|PatriceSc|LINK
It would defeat the purpose and the correct fix would be rather to use https. You really checked where this query comes from and why it uses http rather than https? For now my guess is that http is hardcoded somewhere and for now I don't understand why using
https rather than http seems beyond your control. It comes from a 3rd party library? Or from an ASP.NET built in mechanism such as a script manager?
To start with did you find the place where this script is loaded?
Aug 19, 2017 04:59 PM|Anindita.Basak|LINK
The script is loaded from the WCF App service which's hosted with http:// uri scheme. From the asp.net MVC website hosted with valid CA certificate & with https:// uri scheme we're trying to load the script from the app service. Since the
scripts are loaded from web services hosted with http:// into the webpage with
https://, browser gives mixed content security issue.
The website is hosted into AWS EC2 instances IIS 8.5 web server.
Is there any way to pro grammatically(application side) control loading scripts directly from http:// WCF service into asp.net https:// webpage?
Aug 21, 2017 09:11 AM|Edward Z|LINK
It is restricted by security when request http resource from HTTPS. The recommended way is to secure WCF Service by https.
For another way, you may call WCF Service from controller by adding service reference to generate client code, and then request the controller again.