"Connection Partially Encrypted" in Firefox - asp.net

I can't figure out if this is a bug in Firefox or an anomaly with the website as it only seems to occur through a specific sequence.
TLDR steps below
If you visit the main page (link below) and then click on the quotes link it will send you to a page called quoteconfig.aspx which checks for javascript and then redirects you if it's enabled otherwise it gives you a warning. After the automatic redirect Firefox shows a SSL warning about "Connection Partially Encrypted" (see the icon on the statusbar). However, if you click the sign in or my account links, which do not perform a javascript redirect, there's no SSL warning. Also, upon refreshing the page or browsing to another page then clicking the quotes links again the SSL warning goes away.
I've run Fiddler and Windows Network Monitor and verified that all links on the page are https://. It works fine on IE 7&8, Safari, Opera, and Chrome.
What else could it be?
steps:
visit the url below using Firefox
(tested on 3.0.5)
click on the quotes link
observe the SSL warning in the
statusbar
site link

It looks like the window.location = "quote.aspx" might be the culprit. On my browser, at least, it is redirecting to the http version of the page, not https. Then the http redirects to the https straight away with a 302.

Related

How to fix http/https url generation inside module settings/edit modal window iframe at DNN website?

For some reason DNN generates url for src of iframe inside every modal for editing module or module settings with different protocol on localhost and prod. On localhost when page is opened via https, iframe also has https url. At the same time on prod when page is opened via https, DNN generates http url there for some reason. As result I'm getting this error in dev tools console:
Mixed Content: The page at "" was loaded over HTTPS, but requested an
insecure frame. This request has been blocked; the content must be
served over HTTPS.
Found this solution.
Disabling modals would be really stupid solution as I need editing and settings for DNN modules. So I used workaround with meta tag added to a website via PersonaBar.
That fix actually works, but firstly, it's not the most convenient solution. Secondly, it's a crutch. If localhost can generate https link, then it means that prod also can. But why it doesn't? It's a code that is generated by DNN, not by my code. So as result I don't understand right now what's going on about it and why.
P.S. Just in case to clearify what I'm talking about:
login as superuser to your website
click pencil button to edit page
hover over any DNN module
click pencil icon "Edit module" or gear icon "Settings" (doesn't matter)
that's the modal window with iframe I'm talking about
P.S. I've asked this question at DNN forum yesterday already, but didn't recieve any answers there, so I'm duplicating it here.
DNN's SSL implementation requires a number of things to be in alignment, however, the following should be correct.
Within the security section SSL needs to be enabled, AND enforced, and the page that you are on also has to have the "Secure" flag set.
This is working for us in all production environments, so you so you should be fine.
(If using SSL Offloading, its a bit more tricky)

chrome is forcing https error for css and js files(Error - ERR_CERT_COMMON_NAME_INVALID)

Facing ERR_CERT_COMMON_NAME_INVALID, while loading css and js files in chrome browser.
While loading login.aspx page related css and js files are loading in IE and Mozilla where as in chrome its not loading. We have deployed the existing application in new server, same application is working on different server. Is there any configuration to be modified in IIS? I have verified both the environment which looks identical, any specific related configuration is helpful. please find the screen shot below
Screen shot
ERR_CERT_COMMON_NAME_INVALID is a very popular SSL error during loading the website. In most cases, the issue is due to certificate misconfiguration on a server. However, it may appear due to antivirus and firewall or aother third-party extensions. so you can try the following methods to solve the problem.
Check date and time are proper
Your Chrome browser will show ERR_CERT_COMMON_NAME_INVALID error in case the date and time are wrong on your computer or mobile device. Please recheck and adjust it on your via PC settings.
Check browser extensions
In some cases, the problematic browser extension could be a reason for the error. First of all, try to open the website in Incognito window and if that solves the issue then no need to check extensions. Otherwise, follow the next steps:
1.Click the "three dots" button on the top right corner of your browser window
2.Select More tools and Extensions
3.Turn off extensions one by one to find culprit extension and delete it to fix the browser error.
Check Installed SSL certificate
In Chrome, you have to click to the "Not Secure" button located on the left side of the address bar, and then click to "Certificate". There you will see the details of SSL certificate using the field "issued to".
Clear the SSL cache
The browser's SSL cache can be an issue. You have to try clearing the cache to resolve the error. click "Three dots" button on the top right side of the browser, find the "Settings". There you will find "Advanced settings" at the bottom of a page. Now find "Open Proxy Settings" and there you will see the "Content" tab with "Clear SSL state"

windows web server 2008 IIS7 keeps rediricting

In IIS7 I right click on the site and choose "Switch to content view" then add a text file called test.txt right click again and switch to features view. Double click the http redirect icon and see it's not forwarding.
Right click the site and switch to content view again now right click on test.txt and choose browse only to be forwarded to some other site that gives me 404 for not having /test.txt.
I don't know where to look anymore as the settings mentioned above would indicate there would be no forwarding but opening the file proves that it does.
When using forcecors plugin for firefox and making a ajax request to the text file I can see the response header: Location http://some_other_site/test.txt.
Hope it's something simple.
[update]
In the application I checked out the settings under "Url rewrite" and found a rule that redirects. Removed this rule and stopped started IIS but it's still forwarding. Could not find anything under System32\inetsvr\config that would indicate redirecting.
After removing the url rewrite rule and testing in the browser it kept on forwarding because I think my browser remembered it was moved. Cache settings on IIS should check if file has changed after it was last cached (I think last modified headers) but somehow a redirect works differently. Did not clear my browser cache and even doing that could still cause a problem with proxies caching it.
What I did was opening it this way:
http://develop.mysite.com/test.txt?refresh=newValue
Like magic I wasn't redirected and it works now. Start FF with another profile and see if that solves the problem as the new profile should not be aware of the sites response being "permanently moved" by a previous request.

CSS load after redirect to https fails on WP7 browser

I have a test web page in Azure cloud where I have login page in https. My problem is that if I get to the login page via redirect, neither the CSS or images get loaded in WP7 default browser - IE. Certificate is a self signed one - so I get the warning from browser before getting to the actual page.
The strange thing is that if I just click on refresh button after the initial loading - CSS and images gets loaded OK. Also, if I go to the https login page directly without going through redirect - everything works OK again.
Server side is done with MVC3 and https redirect is done by adding [RequireHttps] attribute before the controller.
Fiddler logs do not show anything that would help me. In the redirect case I can see that after the html page has been loaded there is handshaking for getting the https tunnel up, but no requests for css or images. When I click refresh, Fiddler log seems to start the same way, but this time also CSS and image is loaded.
I have done quite a bit googling on this and none of the answers that I have found seem to help. CSS and image are loaded with relative links, so that should not be the issue. Directory access rights should be OK as well, because it works without redirect. It also works OK in Desktop IE and other mobile browsers that I have tried on.
Any help would be greatly appreciated.

Chrome returns "Bad Request - Request Too Long" when navigating to local IIS Express

I have a web application that runs perfectly fine when I use the Visual Studio 2010 development server (Cassini). However when I try to use IIS Express to host the site Chrome just displays a "Bad Request - Request Too Long" error. The IIS Express site does display in other browsers (FireFox and IE9) so I'm kind of confused. The error occurs in Chrome when I try request pages in my application or even basic resources like an image, so I don't think it is an issue with URL rewriting or routing.
Just to see if the problem was somehow a result of my site's code, I created a new MVC3 website and tried running that. This worked in the VS development server, but once again produced the "Bad Request" error when running under IIS Express.
I am about to start testing the site using some mobile devices so I need to get this running under IIS. Any suggestions would be greatly appreciated.
EDIT:
The root url of the site (http://localhost:50650/) is being requested using GET. I am currently using Chrome v12.0.742.112.
I get this all the time ONLY in Chrome and I have to clear browsing data to fix it.
Wrench > Tools > Clear Browsing Data
Check the following:
Clear browsing history
Clear download history
Empty the cache
Delete cookies and other site data
Then click "Clear Browsing Data" button and refresh your page.
UPDATE:
I figured out that it has to do with writing too many cookies to the browser and that if you just close all instances of Chrome, the error goes away for a while. To prevent it, you'll need to clear out your cookies programmatically.
Instead of clearing all the cookies, just do the following:
Right click the lock in the address bar area (see picture below)
Under cookies there is a link saying how many cookies are used
Click that link
Remove all cookies in there (or just the troublesome if you can identify them)
Problem gone
This error is caused by a corrupt cookie for the website you are trying to view, so to clear it all you need to do is clear the bad cookie(s) for that website.
In Chrome, go to...
chrome://settings/cookies
(Or manually go to Settings->Advanced Settings->Privacy->Content->All Cookies and Site data)
From there, you can search for cookies that match the site you are having problems on. Finally, click "remove all" for the matching cookies.
The problem is usually that the site in question has accumulated too many cookies or created cookies which are too large, making the HTTP headers swell beyond the allowed maximum.
One-time work-around
As has been mentioned, you can go to Settings|Advanced|Content Settings|All Cookies and Site Data, search for the site in question, and delete the cookies using the X button on the right. This reduces the header size of the HTTP request when contacting the site.
Long-term work-around
In addition to removing them one-time, however, you can prevent further problems with heavy cookie sites by going to Settings|Advanced|Content Settings|Manage Exceptions, and add the base site url (e.g. "msdn.microsoft.*" without the quotes) and select Behavior as "Clear on Exit". You might have to login more often to these sites, but this should prevent the problem.
I encountered this problem when using ADB2C login from ASP.NET WebApp. In Firefox you can do similar use case to delete related coockies and problem is gone for a while. Click on HTTPS (i) lock icon with, select ">" button on the right, select More information, select Security tab, click on View Cookies and click on Remove All. Done 4 a while.
If Above methods didn't work then enter
chrome://settings/resetProfileSettings
and Click on Reset Settings
This will reset your startup page, new tab page, search engine, and pinned tabs. It will also disable all extensions and clear temporary data like cookies. Your bookmarks, history and saved passwords will not be cleared.

Resources