Finding nonsecure items in secure page

From: marc.gibian@xxxxxxxxx
Date: 26 Jul 2005 14:01:15 -0700

I am modifying an existing ASP.NET application to make it SSL
compatible. I have already searched the codebase and eliminated all
hardcoded "http" instances, replacing them with a method call that
returns the appropriate ("http" or "https") value in a given context. I
have also modified all iframe instances to ensure they always have a
valid src. But, when I run the application, I still encounter the
following Security dialog in IE:

Security Information

This page contains both secure and nonsecure items.

Do you want to display the nonsecure items?

(Yes) (No) (More Info)

My problem is that I can't figure out what is causing IE to report this
problem. Changing the settings in IE, while a popular solution in the
ie groups, is not a solution. I need to fix the underlying problem in
the application to provide users an acceptable user experience.

I tried using Fiddler to capture the non-SSL traffic from the browser
to IIS, but it would appear there is no traffic associated with the
warning, at least not traffic that Fiddler would intercept.

Unfortunately, because of the characteristics of the specific window
encountering the problem, I can not display the page's source (the
right click IE menu is being surpressed).

Anyone have any ideas?

IS there something other than a reference through an explicit "http:"
or an iframe without a non-null src specified that cause this dialog to
be displayed?

Hasn't someone built a plugin for IIS that would allow for monitoring
SSL traffic? Or, something to act as IE? (unfortunately, this is a very
IE dependent application, so I can't experiment with alternate browsers
unless they are fully IE compatible).

Thank you in advance for your help,
Marc

.

Follow-Ups:
- Re: Finding nonsecure items in secure page
  - From: Curt_C [MVP]

Prev by Date: Re: ASP.NET: How to conditionally display content based on login/authe
Next by Date: Re: Install 1.1 over 2.0 beta?
Previous by thread: Install 1.1 over 2.0 beta?
Next by thread: Re: Finding nonsecure items in secure page
Index(es):
- Date
- Thread

Relevant Pages

Re: Security of IIS - Secure Intranet web site on SBS2003 box
... > take two days to rebuild their server and return everything to normal. ... > Before 'Code Red' IIS was considered reasonably secure. ... >> over HTTP via SSL for OUTLOOK-EXCHANGE links to users operating in the ...
(microsoft.public.windows.server.sbs)
Re: Hardware SSL (BIG-IP) / IIS Detection
... Your configuration sends SSL and HTTP as unencrypted to IIS, ... treats it as unencrypted -- and so server variables all say "unencrypted". ...
(microsoft.public.inetserver.iis.security)
Re: Any way to display a "bad password entered" message at https l
... We're doing HTTP based auth, ... then this isn't controlled by IIS either. ... then chooses to display the credentials dialogue box. ... Short of writing custom code, ...
(microsoft.public.inetserver.iis.security)
Re: OWA Aufruf läuft in Endlosschleife
... Umleitung auf interne IP des Servers HTTP auf 81, SSL auf 8444 und FTP auf 21 ... "Christian Gröbner " schrieb: ... > Warum hast du den IIS auf Port 8444 gesetzt, ...
(microsoft.public.de.german.isaserver)
Re: Any way to display a "bad password entered" message at https l
... If you are sending back a 401 HTTP status, then the browser will just popup the dialogue again. ... You'd need to change the HTTP status (e.g. via an ISAPI filter, or module if you are using IIS 7) so as to have the browser display your message. ...
(microsoft.public.inetserver.iis.security)