Non secure items on SSL in asp.net

[Brian Henry]

I created a project and it looks like everything is loading under HTTPS on
all the pages perfectly except one page that it loads saying that the page
contains both secure and non secure items... how would i check to see which
items are loading that are insecure on IIS? the page is writen in ASP.NET, I
know exactly which control is doing it (a custom writen one) but i cant seem
to figure out what in the control is doing it... is there logs or anything i
can debug to figure out what is causing this dialog to load asking if i want
to load the insecure items or not? thanks (in SSL connections the source
code is unviewable so i cant do it the easy way out)

 

[Nicole Calinoiu]

Brian,

Looking at the server side of things won't necessarily help you since the
item that is not being requested over https doens't necessarily come from
your site. A better approach is to look at the html source on the client,
which should be human-readable even if it's been loaded over https. The
kinds of things that might be causing the problem are:

1. Any request over http. A simple search for "http:" (without the quotes)
should reveal this.
2. Any frame, iframe, or img tags with a blank or unspecified src
attribute.
3. Any use of "about:____" pages. An example of this would be a frame
whose src attribute is set to "about:blank".

HTH,
Nicole

 

[bruce barker]

if you hit your site with netscape or mozilla, you can use PageInfo to
determine this easily.

-- bruce (sqlwork.com)

 

[Kevin Spencer]

It's not a matter of whether an item is "insecure on IIS" - an item is
secured via its URL. If it begins with "https" it is secure. Well, it's a
bit more complicated than that, due to relative URLs in a page. When a page
has a relative URL (e.g. "someFolder/someitem.aspx" or
"/someFolder/someItem.jpg"), the base portion of the URL (which includes the
protocol) is appended from the present location to the URL to form the
complete URL. So, for example, let's say you click a link that has an
absolute URL of "https://..." That page is secured via HTTPS. Now you click
a link on that page which is relative, to another page (e.g.
"/someFolder/somePage.aspx"). The protocol portion of the URL is appended to
the link to create an absolute one by the browser. So, the second page,
regardless of the lack of "https" in the link, because it is a relative URL,
is still secure. In fact, to get to a non-secured page, you would have to
use an absolute URL, with the protocol included, to change the base protocol
portion of the URL to a non-scured (HTTP) address.

An HTML document can include other resources in it, such as images. If the
URLs of these images are relative, and the page they are in is reached via
HTTPS, they will also be requested using HTTPS. However, there are times
when not all of the resources in a page have the same protocol. This results
in the type of message you saw.

The most bullet-proof way to prevent this: Use all absolute URLs in the
page.

--
HTH,
Kevin Spencer
..Net Developer
Microsoft MVP
Big things are made up
of lots of little things.

 

[Brian Henry]

eek, we're doing a secure email system which uses IFrames for HTML email
editing... that must be whats causing it... how would you fix this? thanks

 

[Nicole Calinoiu]

Brian,

Instead of using blank src attributes for your iframes (unspecified or
src="" or src="about:blank"), use a real page from your site when you want
the iframe to appear to be empty. e.g.: <iframe src="blank.htm"... where
blank.htm has html source like the following:

<html>
<head>
<title>Blank page</title>
</head>
<body>
</body>
</html>

HTH,
Nicole

 

[Brian Henry]

ahh thank you, ill see if that corrects the problem

 

[Brian Henry]

that fixed it, thanks

ahh thank you, ill see if that corrects the problem

if