search

frenzypeng / securityswitch

Automatically exported from code.google.com/p/securityswitch
Other
0 stars 0 forks source link

Partially Encrypted Page Warning #15

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
In IE and FF, when using this module, the browser will throw the Partially 
Encrypted Page warning because of linked resources such as CSS, script files, 
images, etc.

This occurs when switching from http to https, and not the other way around.

It appears that the browsers are running their validation logic before the 301 
response is processed on the above mentioned paths.

A cache issue does not seem to be the culprit.

If I disable the securityswitch module, and navigate to the https version 
directly, no issue is present.

IE/FF on Win XP and Win 7.

Chrome and Safari either work correctly or don't warn.

Original issue reported on code.google.com by cra...@crgits.com on 5 Jun 2011 at 7:59

GoogleCodeExporter commented 8 years ago 
.NET 4.0 / VS2010

IIS Integrated mode

Original comment by cra...@crgits.com on 5 Jun 2011 at 8:02

GoogleCodeExporter commented 8 years ago 
This is actually expected behavior from the module. It is intercepting the 
request for your CSS and, not finding any entry in the configuration, is 
assuming it should be unencrypted. Therefore, it is redirecting those requests 
via HTTP.

You can change this behavior by adding one or more entries to your 
configuration for this module with the path(s) to your resources and indicating 
to ignore them. Here is an example.

<paths>
  ...
  <!-- 
    Ignore all requests for files in the Media sub-directory. 
    * This will keep the same protocol as the page when images or stylesheets are requested.
  -->
  <add path="~/Media/" security="Ignore" />
  ...

Original comment by vent...@gmail.com on 5 Jun 2011 at 3:17

GoogleCodeExporter commented 8 years ago 
Ok, I wasn't entirely sure that was the correct approach. Appreciate the 
response. I believe this exchange will be helpful to others.

Original comment by cra...@crgits.com on 5 Jun 2011 at 4:52

GoogleCodeExporter commented 8 years ago 
Yes. I've been considering having a new flag that tells the module to 
automatically ignore requests that it can absolutely determine are media 
resources. This will work if the resources are named conventionally (i.e. 
*.css, *.png, etc.). However, it won't work if a resource is delivered via a 
handler or other script (i.e. GetImage.ahxd, RenderStyles.aspx, etc.).

Original comment by vent...@gmail.com on 7 Jun 2011 at 10:44