Non secure items on SSL in asp.net

I created a project and it looks like everything is loading under HTTPS on
all the pages perfectly except one page that it loads saying that the page
contains both secure and non secure items... how would i check to see which
items are loading that are insecure on IIS? the page is writen in ASP.NET, I
know exactly which control is doing it (a custom writen one) but i cant seem
to figure out what in the control is doing it... is there logs or anything i
can debug to figure out what is causing this dialog to load asking if i want
to load the insecure items or not? thanks (in SSL connections the source
code is unviewable so i cant do it the easy way out)

Brian Henry

Brian,

Looking at the server side of things won't necessarily help you since the
item that is not being requested over https doens't necessarily come from
your site. A better approach is to look at the html source on the client,
which should be human-readable even if it's been loaded over https. The
kinds of things that might be causing the problem are:

1. Any request over http. A simple search for "http:" (without the quotes)
should reveal this.
2. Any frame, iframe, or img tags with a blank or unspecified src
attribute.
3. Any use of "about:____" pages. An example of this would be a frame
whose src attribute is set to "about:blank".

HTH,
Nicole


"Brian Henry" <> wrote in message
news:...
>I created a project and it looks like everything is loading under HTTPS on
> all the pages perfectly except one page that it loads saying that the page
> contains both secure and non secure items... how would i check to see
> which
> items are loading that are insecure on IIS? the page is writen in ASP.NET,
> I
> know exactly which control is doing it (a custom writen one) but i cant
> seem
> to figure out what in the control is doing it... is there logs or anything
> i
> can debug to figure out what is causing this dialog to load asking if i
> want
> to load the insecure items or not? thanks (in SSL connections the source
> code is unviewable so i cant do it the easy way out)
>
>

Nicole Calinoiu

if you hit your site with netscape or mozilla, you can use PageInfo to
determine this easily.

-- bruce (sqlwork.com)


"Brian Henry" <> wrote in message
news:...
> I created a project and it looks like everything is loading under HTTPS on
> all the pages perfectly except one page that it loads saying that the page
> contains both secure and non secure items... how would i check to see
which
> items are loading that are insecure on IIS? the page is writen in ASP.NET,
I
> know exactly which control is doing it (a custom writen one) but i cant
seem
> to figure out what in the control is doing it... is there logs or anything
i
> can debug to figure out what is causing this dialog to load asking if i
want
> to load the insecure items or not? thanks (in SSL connections the source
> code is unviewable so i cant do it the easy way out)
>
>

bruce barker

It's not a matter of whether an item is "insecure on IIS" - an item is
secured via its URL. If it begins with "https" it is secure. Well, it's a
bit more complicated than that, due to relative URLs in a page. When a page
has a relative URL (e.g. "someFolder/someitem.aspx" or
"/someFolder/someItem.jpg"), the base portion of the URL (which includes the
protocol) is appended from the present location to the URL to form the
complete URL. So, for example, let's say you click a link that has an
absolute URL of "https://..." That page is secured via HTTPS. Now you click
a link on that page which is relative, to another page (e.g.
"/someFolder/somePage.aspx"). The protocol portion of the URL is appended to
the link to create an absolute one by the browser. So, the second page,
regardless of the lack of "https" in the link, because it is a relative URL,
is still secure. In fact, to get to a non-secured page, you would have to
use an absolute URL, with the protocol included, to change the base protocol
portion of the URL to a non-scured (HTTP) address.

An HTML document can include other resources in it, such as images. If the
URLs of these images are relative, and the page they are in is reached via
HTTPS, they will also be requested using HTTPS. However, there are times
when not all of the resources in a page have the same protocol. This results
in the type of message you saw.

The most bullet-proof way to prevent this: Use all absolute URLs in the
page.

--
HTH,
Kevin Spencer
..Net Developer
Microsoft MVP
Big things are made up
of lots of little things.

"Brian Henry" <> wrote in message
news:...
> I created a project and it looks like everything is loading under HTTPS on
> all the pages perfectly except one page that it loads saying that the page
> contains both secure and non secure items... how would i check to see
which
> items are loading that are insecure on IIS? the page is writen in ASP.NET,
I
> know exactly which control is doing it (a custom writen one) but i cant
seem
> to figure out what in the control is doing it... is there logs or anything
i
> can debug to figure out what is causing this dialog to load asking if i
want
> to load the insecure items or not? thanks (in SSL connections the source
> code is unviewable so i cant do it the easy way out)
>
>

Kevin Spencer

eek, we're doing a secure email system which uses IFrames for HTML email
editing... that must be whats causing it... how would you fix this? thanks


"Nicole Calinoiu" <> wrote in message
news:...
> Brian,
>
> Looking at the server side of things won't necessarily help you since the
> item that is not being requested over https doens't necessarily come from
> your site. A better approach is to look at the html source on the client,
> which should be human-readable even if it's been loaded over https. The
> kinds of things that might be causing the problem are:
>
> 1. Any request over http. A simple search for "http:" (without the
quotes)
> should reveal this.
> 2. Any frame, iframe, or img tags with a blank or unspecified src
> attribute.
> 3. Any use of "about:____" pages. An example of this would be a frame
> whose src attribute is set to "about:blank".
>
> HTH,
> Nicole
>
>
> "Brian Henry" <> wrote in message
> news:...
> >I created a project and it looks like everything is loading under HTTPS
on
> > all the pages perfectly except one page that it loads saying that the
page
> > contains both secure and non secure items... how would i check to see
> > which
> > items are loading that are insecure on IIS? the page is writen in
ASP.NET,
> > I
> > know exactly which control is doing it (a custom writen one) but i cant
> > seem
> > to figure out what in the control is doing it... is there logs or
anything
> > i
> > can debug to figure out what is causing this dialog to load asking if i
> > want
> > to load the insecure items or not? thanks (in SSL connections the source
> > code is unviewable so i cant do it the easy way out)
> >
> >
>
>

Brian Henry

Brian,

Instead of using blank src attributes for your iframes (unspecified or
src="" or src="about:blank"), use a real page from your site when you want
the iframe to appear to be empty. e.g.: <iframe src="blank.htm"... where
blank.htm has html source like the following:

<html>
<head>
<title>Blank page</title>
</head>
<body>
</body>
</html>

HTH,
Nicole



"Brian Henry" <> wrote in message
news:...
> eek, we're doing a secure email system which uses IFrames for HTML email
> editing... that must be whats causing it... how would you fix this? thanks
>
>
> "Nicole Calinoiu" <> wrote in message
> news:...
>> Brian,
>>
>> Looking at the server side of things won't necessarily help you since the
>> item that is not being requested over https doens't necessarily come from
>> your site. A better approach is to look at the html source on the
>> client,
>> which should be human-readable even if it's been loaded over https. The
>> kinds of things that might be causing the problem are:
>>
>> 1. Any request over http. A simple search for "http:" (without the
> quotes)
>> should reveal this.
>> 2. Any frame, iframe, or img tags with a blank or unspecified src
>> attribute.
>> 3. Any use of "about:____" pages. An example of this would be a frame
>> whose src attribute is set to "about:blank".
>>
>> HTH,
>> Nicole
>>
>>
>> "Brian Henry" <> wrote in message
>> news:...
>> >I created a project and it looks like everything is loading under HTTPS
> on
>> > all the pages perfectly except one page that it loads saying that the
> page
>> > contains both secure and non secure items... how would i check to see
>> > which
>> > items are loading that are insecure on IIS? the page is writen in
> ASP.NET,
>> > I
>> > know exactly which control is doing it (a custom writen one) but i cant
>> > seem
>> > to figure out what in the control is doing it... is there logs or
> anything
>> > i
>> > can debug to figure out what is causing this dialog to load asking if i
>> > want
>> > to load the insecure items or not? thanks (in SSL connections the
>> > source
>> > code is unviewable so i cant do it the easy way out)
>> >
>> >
>>
>>
>
>

Nicole Calinoiu

ahh thank you, ill see if that corrects the problem

"Nicole Calinoiu" <> wrote in message
news:...
> Brian,
>
> Instead of using blank src attributes for your iframes (unspecified or
> src="" or src="about:blank"), use a real page from your site when you want
> the iframe to appear to be empty. e.g.: <iframe src="blank.htm"... where
> blank.htm has html source like the following:
>
> <html>
> <head>
> <title>Blank page</title>
> </head>
> <body>
> </body>
> </html>
>
> HTH,
> Nicole
>
>
>
> "Brian Henry" <> wrote in message
> news:...
> > eek, we're doing a secure email system which uses IFrames for HTML email
> > editing... that must be whats causing it... how would you fix this?
thanks
> >
> >
> > "Nicole Calinoiu" <> wrote in message
> > news:...
> >> Brian,
> >>
> >> Looking at the server side of things won't necessarily help you since
the
> >> item that is not being requested over https doens't necessarily come
from
> >> your site. A better approach is to look at the html source on the
> >> client,
> >> which should be human-readable even if it's been loaded over https.
The
> >> kinds of things that might be causing the problem are:
> >>
> >> 1. Any request over http. A simple search for "http:" (without the
> > quotes)
> >> should reveal this.
> >> 2. Any frame, iframe, or img tags with a blank or unspecified src
> >> attribute.
> >> 3. Any use of "about:____" pages. An example of this would be a frame
> >> whose src attribute is set to "about:blank".
> >>
> >> HTH,
> >> Nicole
> >>
> >>
> >> "Brian Henry" <> wrote in message
> >> news:...
> >> >I created a project and it looks like everything is loading under
HTTPS
> > on
> >> > all the pages perfectly except one page that it loads saying that the
> > page
> >> > contains both secure and non secure items... how would i check to see
> >> > which
> >> > items are loading that are insecure on IIS? the page is writen in
> > ASP.NET,
> >> > I
> >> > know exactly which control is doing it (a custom writen one) but i
cant
> >> > seem
> >> > to figure out what in the control is doing it... is there logs or
> > anything
> >> > i
> >> > can debug to figure out what is causing this dialog to load asking if
i
> >> > want
> >> > to load the insecure items or not? thanks (in SSL connections the
> >> > source
> >> > code is unviewable so i cant do it the easy way out)
> >> >
> >> >
> >>
> >>
> >
> >
>
>

Brian Henry

that fixed it, thanks


"Brian Henry" <> wrote in message
news:...
> ahh thank you, ill see if that corrects the problem
>
> "Nicole Calinoiu" <> wrote in message
> news:...
> > Brian,
> >
> > Instead of using blank src attributes for your iframes (unspecified or
> > src="" or src="about:blank"), use a real page from your site when you
want
> > the iframe to appear to be empty. e.g.: <iframe src="blank.htm"...
where
> > blank.htm has html source like the following:
> >
> > <html>
> > <head>
> > <title>Blank page</title>
> > </head>
> > <body>
> > </body>
> > </html>
> >
> > HTH,
> > Nicole
> >
> >
> >
> > "Brian Henry" <> wrote in message
> > news:...
> > > eek, we're doing a secure email system which uses IFrames for HTML
email
> > > editing... that must be whats causing it... how would you fix this?
> thanks
> > >
> > >
> > > "Nicole Calinoiu" <> wrote in message
> > > news:...
> > >> Brian,
> > >>
> > >> Looking at the server side of things won't necessarily help you since
> the
> > >> item that is not being requested over https doens't necessarily come
> from
> > >> your site. A better approach is to look at the html source on the
> > >> client,
> > >> which should be human-readable even if it's been loaded over https.
> The
> > >> kinds of things that might be causing the problem are:
> > >>
> > >> 1. Any request over http. A simple search for "http:" (without the
> > > quotes)
> > >> should reveal this.
> > >> 2. Any frame, iframe, or img tags with a blank or unspecified src
> > >> attribute.
> > >> 3. Any use of "about:____" pages. An example of this would be a
frame
> > >> whose src attribute is set to "about:blank".
> > >>
> > >> HTH,
> > >> Nicole
> > >>
> > >>
> > >> "Brian Henry" <> wrote in message
> > >> news:...
> > >> >I created a project and it looks like everything is loading under
> HTTPS
> > > on
> > >> > all the pages perfectly except one page that it loads saying that
the
> > > page
> > >> > contains both secure and non secure items... how would i check to
see
> > >> > which
> > >> > items are loading that are insecure on IIS? the page is writen in
> > > ASP.NET,
> > >> > I
> > >> > know exactly which control is doing it (a custom writen one) but i
> cant
> > >> > seem
> > >> > to figure out what in the control is doing it... is there logs or
> > > anything
> > >> > i
> > >> > can debug to figure out what is causing this dialog to load asking
if
> i
> > >> > want
> > >> > to load the insecure items or not? thanks (in SSL connections the
> > >> > source
> > >> > code is unviewable so i cant do it the easy way out)
> > >> >
> > >> >
> > >>
> > >>
> > >
> > >
> >
> >
>
>

Brian Henry