We have a web page containing an iframe containing a page sharing an authentification cookie with it's parent page. For example the iframe page is on the domain foo.domain.com and the page containing the iframe is on foo2.domain.com. Both share a cookie from domain.com. Authentification works great, but the problem is with ASP.NET in IE7, we always get a javascript error:
Access is denied.
ScriptResource.axd
We are using ASP.NET 3.5, we use Ajax Control Toolkit also (latest version 3.0.30930.0). The problem doesn't occur for IE8. No problem in Firefox and Chrome also.
Anyone encountered this problem before?
If there's a DNS redirection IE7 can have issues, e.g. if http://site.domain.com is really http://www.domain.com/site, the transparent DNS redirect has issues in IE7, but not the other browsers you mention. IE7 treats this as a cross-domain script and blocks...you just get Access Denied.
Is this the case, or something similar with redirects or different domains? If you can test the main page as just domain.com/ do you get the error? IE7 treats a child differently than a sibling.
In JavaScript you might need to change the document domain. It's possible IE7 is looking at the domains all the way to the server level: foo.domain.com != foo2.domain.com. IE8, et al, are likely taking the document domain at face value of *.domain.com.
Here's a quick related blog article on it: http://jszen.blogspot.com/2005/03/cross-domain-security-woes.html.
To copy the code though, adding the following to both pages should get it rolling again.
<script type="text/javascript">
document.domain="example.com";
</script>
Related
I have a site which uses are a payment service that exists inside an iframe to take the customers credit card information.
In Chrome/Edge everything is working as expected, but in Safari, when the user is redirected back to the site via the iframe (the user is broken out of the iframe when returned to the site) the user is logged out and returned to the login screen.
This is seems to be something that has happened in the last few months but this may have just not be noticed. I am trying to wrap my head around the SameSite cookie information out there as this may be related.
Has anyone experienced anything like this and have any clue as to how to resolve?
It sounds very much like a SameSite problem.
A quick way to test that theory would be to set SameSite=None and test if it now works, then work back from there.
The fact that it works on Chrome but not Safari could suggest some quirk of Safari's implementation of SameSite.
I've found the following useful in learning about this:
https://web.dev/samesite-cookie-recipes/
https://www.netsparker.com/blog/web-security/same-site-cookie-attribute-prevent-cross-site-request-forgery/
https://andrewwburns.com/2020/08/05/dont-be-lax-about-your-samesite-cookies/
I need to debug my web app which is written by asp.net to find out how it is acting when rendering the content for the crawlers like Googlebot. The first thing I found was some online/offline tools but none of them can pass the Request.Browser.IsCrawler flag.
Then I tried to simulate a handmade request adding the Googlebot UserAgent but still no chance.
I used Telerik Fidler and Chrome while setting User-Agent to Googlebot/2.1 (+http://www.googlebot.com/bot.html), including _escaped_fragment_ in the URI and successfully saw the page from crawler perspective.
I have a test web page in Azure cloud where I have login page in https. My problem is that if I get to the login page via redirect, neither the CSS or images get loaded in WP7 default browser - IE. Certificate is a self signed one - so I get the warning from browser before getting to the actual page.
The strange thing is that if I just click on refresh button after the initial loading - CSS and images gets loaded OK. Also, if I go to the https login page directly without going through redirect - everything works OK again.
Server side is done with MVC3 and https redirect is done by adding [RequireHttps] attribute before the controller.
Fiddler logs do not show anything that would help me. In the redirect case I can see that after the html page has been loaded there is handshaking for getting the https tunnel up, but no requests for css or images. When I click refresh, Fiddler log seems to start the same way, but this time also CSS and image is loaded.
I have done quite a bit googling on this and none of the answers that I have found seem to help. CSS and image are loaded with relative links, so that should not be the issue. Directory access rights should be OK as well, because it works without redirect. It also works OK in Desktop IE and other mobile browsers that I have tried on.
Any help would be greatly appreciated.
I have googled around for the answer to this question, but haven't come up with anything. Maybe the search terms I used were too generic... Anyway, here goes:
I am discovering the joys of web design and ASP.NET, and the nightmare of trying to get things to display in the same way in IE and all the other browsers.
I am working in VS2010 and debugging my website using IE8. What I really don't get is why the website once I publish it looks different in IE from the way it looks in debug mode... I mean small things only, like border in gridviews disappearing in the published site, simple html horizontal rules aren't the same either.
It also messed up my list menu pretty bad, but I managed to fix that with the *display: inline; hack. The weird thing is that it doesn't need it in debug mode, but needs it for the published website.
I am hosting the site on my own machine, running Win XP Pro and hosting through IIS with .NET 4.0... Could the issue be IIS related?
Any help would be much appreciated, because those differences are just ridiculous and are driving me to desperation. I wish everyone over here would use Chrome or Safari, but unfortunately IE still rules in Japan...
This works for me, overrides the setting in ie
META Tag in HEAD element of your web page (or better in master page)
<meta http-equiv=“X-UA-Compatible” content=“IE=8” />
link here to info
http://blogs.msdn.com/b/askie/archive/2009/03/23/understanding-compatibility-modes-in-internet-explorer-8.aspx
I find it better to override compatibility in the HTTP Reponse Headers in IIS, adding header:
X-UA-Compatible: IE=Edge
The IE=Edge part will set compatibility to use the highest mode available, will apply to all users, and also apply to all pages in the site whilst only having to put the header in one place.
I've seen similar behavior related to trusted sites/intranet sites/internet sites security settings. When you run in debug mode is the URL you are using different from when you publish it? I've seen sometimes when I debug using a URL like http://localhost/xxx and when I access the same site straight from IIS using a URL like http://machinename.domain.com/xxx that one resolves to a trusted site or local intranet and the other to internet and it changes the appearance based on the IE settings.
For those using ASP.NET MVC, you can add kgp4death's
<meta http-equiv=“X-UA-Compatible” content=“IE=8” />
to the head element in your _Layout.cshtml.
I think you did not have given the correct path in the <script src="path">. Please check your path and also check the related file u must place this file in the project folder
I hope this suggestion solve your problem
I have a browser compatibilty problem with https? I have SSL installed and is in usage. Until today morning, my https part is working well. From then, Https is shown as https(with slashed in red color) saying the page has some insecure content.
I have not changed any code and suddenly i see this problem in chrome. In IE 8, i see the same problem but on every page, it shows me a popup if i should allow to opne secure and non secure or just secure. Firefox has no issues . It shows correct https without any problem. I am fed up with it searching all over. Why is this happenening for me in Chrome and IE 8.
Could someone tell me what the problem is and what can be done to solve it!
PS: I have also checked if the page source is any different when IE8 showed with and without secure data. Everything is the same. but viewstateID was different. Is that something that is creating this problem?
Thanks a lot in advance.
This is usually caused by having the absolute path to a resource specified somewhere on the page without having https specified, eg:
<img src="http://someurl.com/image.png">
If it's a link to something on your site, use https: or a relative path.
DO you have any 3:rd party javascript included, like google analytics or other that might have changed.
If you try with Firefox there is firebug you can add as an addon.
In there is a tab for network (net).
It lists everything the page loads.
In that list you should be able to find anything that gets loaded without https.
IE (correctly) complains when there is mixed http/https content as a security warning. Most other browsers do not typically complain when dealing with mixed content so your source is very likely the same in both instances.
I would second David Mårtensson's answer and say the issue is likely a third party library (google or MS hosted JQuery for example) or static asset server.