resources on secured web site

views:

answers:

+1 Q:

resources on secured web site

We have a web site in the domain, let's name: http://website.com. It is necessary to implement same look-and-feel on another web site (https://custom.website.com). As we can see, the 2nd is in the sub-domain of the 1st one, but it is secured (it uses https).

To achieve same look-and-feel same DLLs are used in both web sites. These DLLs contain functionality for menus, JavaScripts, etc). But the 2nd web-site uses images and some css files from the 1st one. For example, in order to display "Logo.png" instead of usual "~/Images/Logo.png" the following path to file is rendered into HTML: "http://website.com/Images/Logo.png"

All stuff was done on the local environment, and work perfect (http://localhost/ referred to http://website.com).

BUT, when web-site was deployed to 'real' (development) environment we got surprise: IE notifies:

webpage contains content that will not be delivered using a secure HTTPS connection

I see option to resolve an issue: we could include images into secured web site and use them locally, but in this case we will need to do redeployment if something changed on the main web site.

Question: is there any workaround, how from secured web site we could use images that are located on the non-secured.

Thanks. Any thoughts are welcome.

P.S. I am using ASP.NET 3.5, web sites are hosted under Windows 2008

+2 A:

You need to host your images, CSS and scripts (more generally, whatever is loaded from the webpage) on your HTTPS site too to avoid mixed-content.

Bruno 2010-09-13 14:43:45

I see workaround:

on the 2nd web-site implement functionality that will check (once per day or per hour) if own images are the latest and update them when necessary...

That is a some work, but with such solution web site will be easier to support.

If you see a better option, please let me know.

Thanks.

Budda 2010-09-13 15:45:13

To be honest, I'm not that familiar with IIS. Configuring Apache Httpd to serve the same static content from the same directory on disk to two distinct virtual hosts (one for HTTP and one for HTTPS) is definitely feasible. I'd assume that the same directory can be attached to two different places in a similar way in IIS. Perhaps putting that content in a dedicated directory which you'd serve under a common path might help (e.g. "/static").

Bruno 2010-09-13 15:57:35

+1 A:

Depending on the level of security and isolation you could set up a shared virtual directory for the two websites that point to the same physical location.

Example, create a directory at C:\inetpub\shared-static and create a virtual directory /static under each website pointing to C:\inetpub\shared-static. From there both websites can refer to the image like ~/static/logo.png as necessary for shared content. When the directory has a new file (or replaced file) placed in it, both websites will refer to the same file.

Joshua 2010-09-13 19:04:42

If you can enable support of https on the main web site, you could use https for the image urls instead of http.

Alternative as others have suggested is to sync images / or used a shared location when serving them.

eglasius 2010-09-13 19:52:05

Main web site should not be secured.

Budda 2010-09-13 22:09:11

@Budda not even enable it? / not force it ...

eglasius 2010-09-13 22:11:51

ansaurus

tags:

views:

answers:

resources on secured web site

related questions