tags:

views:

225

answers:

4
+3  Q: 

How do I get rid of the IE8 ssl warning message "Do you want to view only the webpage content that was delivered securely?” with ScriptManager?

A login page on our asp.net website uses https – while almost all of our other pages do not. On this login page, IE8 users receive the “Do you want to view only the webpage content that was delivered securely?” message. Many users press “Yes” out of habit which breaks our login page. I know the problem stems from the WebResource.axd and ScriptResource.axd script tags generated by ScriptManager.

I’ve tried every method of referencing ScriptResource.axd/WebResource.axd – but no matter what I do I get the same IE8 warning – some examples:

<script src='https://www.mysite.org/ScriptResource.axd?123' type="text/javascript"></script>
<script src=' /ScriptResource.axd?123' type="text/javascript"></script> 
<script src=' //www.mysite.org/ScriptResource.axd?123' type="text/javascript"></script>
<script src=' ../ScriptResource.axd?123' type="text/javascript"></script>

Here is an example of a simple page with no axd script (no IE8 prompt) and another page with the same markup and a single axd script (produces the IE8 prompt).

Thinking there might be some strange redirection in iis for axd files - I’ve even tried response.redirecting axd requests to secure urls in global.asax. Application_BeginRequest with no effect.

Does anyone know of a way to include the ScriptResource.axd/WebResource.axd scripts generated by script manager in a manner that does not trigger the "Do you want to view only the webpage content that was delivered securely?” IE8 message? Thanks!

+1  A: 

You have to deliver your scripts from an SSL encrypted server as well. VIA HTTPS. This occurs because some of the scripts are coming from non SSL channels.

Climber104  2010-07-27 20:53:41
Thanks for the quick answer - my second page (https://www.everyday-democracy.org/en/OneAxd.aspx) includes the scripts like this: <script src="https:// www. everyday-democracy.org/ScriptResource.axd?123" type="text/javascript"> </script> As you can see by visiting my example page - this still triggers the IE8 prompt. What am I doing wrong? Thanks again
jskunkle  2010-07-27 20:56:37
A: 

Use Fiddler2 to sniff the request that might give you more insight on what is being passed back and forth from the browser to the server.

Looking at the page load for your log in page all *.axd files are called over SSL.

Also have a look at your cookies are you writing/reading any cookies on the log in page. This can certainly cause the pop up message in both IE8 (and consequently FF 3.67 on my machine).

That's the best advice I can give as to where to look.

Hope it helps.

heads5150  2010-08-03 14:31:55
A: 

Not sure if you have looked at this page. It talks about using Fiddler to troubleshoot the issue (scroll down towards the end).

Internet Explorer 8 Mixed Content Handling

user279521  2010-08-03 15:03:18
I tried "Enable" the Display Of Mixed Content, then went to your site, and I did not get the messagebox.http://blogs.msdn.com/b/askie/archive/2009/05/14/mixed-content-and-internet-explorer-8-0.aspx
user279521  2010-08-03 15:04:12
+3  A: 

Looking at the traffic, something is redirecting https requests for ScriptResource.axd to the http equivalent. I'm not aware of any setting specific to ScriptResourceHandler that would do this, and I do know that we use MS AJAX scripts all the time over https without issue. I would try temporarily removing any Application_BeginRequest handler you have to see if it continues to redirect.

zinglon  2010-08-03 17:02:13
Thanks for your response and help - this ended up being the problem. We have custom code in beginrequest that redirects pages to https/http connections - so that only some pages serve over ssl connectionsI used Fiddler2 to take a look at the requests made by these pages - but I'm a newbie and didn't notice the requests back to http. Quick question - what tool did you use/what did you look for to see that we were redirecting the ScriptResource.axd requests to http? That would have been very helpful to notice early last week when I was tearing my hair out
jskunkle  2010-08-04 18:39:10
I used firebug's net tab and noticed the https request was redirected. I use and recommend fiddler, particularly for more detailed inspection, but firebug was at hand and sufficient this time.
zinglon  2010-08-04 20:19:34

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps