[CLOSED] Security Error when using History control in IE6

[jthompson]

When running IE6 in a secure site (https mode), the History control creates a security error (mixed content). This behavior can be seen in the following stripped down page so you can recreate. Please let me know what can be done to avoid this security error when using the History control.

<%@ Page Language="VB" %>

<%@ Register Assembly="Ext.Net" Namespace="Ext.Net" TagPrefix="ext" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<script runat="server">

</script>

<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
    <title></title>
</head>
<body>
    <form id="form1" runat="server">
    <div>
        <ext:resourcemanager id="ResourceManager1" runat="server" />
        <ext:history id="hist1" runat="server" />
    </div>
    </form>
</body>
</html>

[Daniil]

Hi,

What URL does the History request? You can use Fiddler to inspect requests.

Can you see resources requests without https?

[BGRhoades]

I'm working with him on this issue. I ran the page through fiddler and the request is below with empty column removed. This request is not present when the history control is removed. Let me know if you need any additional information from fiddler.

#	Result	Protocol	Host		URL				Body		Process		
3	200		HTTP		Tunnel to	mycomputer:443	0			iexplore:2700

[Daniil]

Could you answer the following two questions?

What URL does the History request?

Can you see resources requests without https?

[BGRhoades]

I'm not sure how to answer your questions. I have not setup the history control to do anything, just added it to the page. Using the example above, which is just a blank page, I get the error when loading the page over HTTPS.

All requests over http:

#	Result	Protocol	Host		URL	
1	200		HTTP		mycomputer	/history.aspx
2	200		HTTP		mycomputer	/WebResource.axd?d=YbVJQ6TDxPBKoVeBVAMvdzSYJ0Y7D9ITwGJsg9MrkPNKIJc7NjvioMEs12hdh-YXsPFsqv_U6D4JRbO0Pr7y2gXr8DsmrHmgTnOUjpgITJyLjLRSKhyC6pxyYzP614OFBBGVBXk1uIrhlalBvjoLoO272jKw-3SGvrJTXhvLs8I1&t=634601660146194373	
3	200		HTTP		mycomputer	/WebResource.axd?d=BP-27ZfA3WoK_vVSFZkur7uLuXY0ekchU65ADBl_zO8pHhoJPYRTYffgmJFRgB5w7itUGU8XKilw5MSazvSnonmErhEZOuaiPzKD5XxtJJP-PVnMSMSkrxvUuWJsSO6w0q_xex-fLqTPQ4OL1IC6Uqye656ZJ2w8QlvwSF4asKU1&t=634601660146194373	
4	200		HTTP		mycomputer	/WebResource.axd?d=1DH1M5UrKCXVm5LYi9cMO8yArA_N6bWGWe4A4OA6-tDCGQZ8y-zJvCIT3rHnNavE1ujIfTHo-b8Mgg-otex116_uB12Ovrtjm8lamH86chVAf2mxnIzg_cVLsCWIbtGGoNo-VqXnF5SwF6LPhRnuKQ2&t=634601660146194373	
5	200		HTTP		mycomputer	/WebResource.axd?d=bxqQ3dLRiCFvjrpK4puvr-tCJdpV52izxrhluYJChQocTBkc3yETGAp3mZYBFIxz9ZUdZ-508sG6KOz-zf4IbWY-Bf0Zr-o9MI-0ycMe_ksc32bBETmY6i_9xrkPNirnuUtexBzamW0KRmUBE-QRJMLI9e7PnQX9YT8I3jbFXdM1&t=634601660146194373

All requests made over HTTPS (see request #3):

#	Result	Protocol	Host		URL
1	200		HTTPS		mycomputer	/history.aspx
2	304		HTTPS		mycomputer	/WebResource.axd?d=YbVJQ6TDxPBKoVeBVAMvdzSYJ0Y7D9ITwGJsg9MrkPNKIJc7NjvioMEs12hdh-YXsPFsqv_U6D4JRbO0Pr7y2gXr8DsmrHmgTnOUjpgITJyLjLRSKhyC6pxyYzP614OFBBGVBXk1uIrhlalBvjoLoO272jKw-3SGvrJTXhvLs8I1&t=634601660146194373
3	200		HTTP		Tunnel to	mycomputer:443
4	304		HTTPS		mycomputer	/WebResource.axd?d=BP-27ZfA3WoK_vVSFZkur7uLuXY0ekchU65ADBl_zO8pHhoJPYRTYffgmJFRgB5w7itUGU8XKilw5MSazvSnonmErhEZOuaiPzKD5XxtJJP-PVnMSMSkrxvUuWJsSO6w0q_xex-fLqTPQ4OL1IC6Uqye656ZJ2w8QlvwSF4asKU1&t=634601660146194373
5	304		HTTPS		mycomputer	/WebResource.axd?d=1DH1M5UrKCXVm5LYi9cMO8yArA_N6bWGWe4A4OA6-tDCGQZ8y-zJvCIT3rHnNavE1ujIfTHo-b8Mgg-otex116_uB12Ovrtjm8lamH86chVAf2mxnIzg_cVLsCWIbtGGoNo-VqXnF5SwF6LPhRnuKQ2&t=634601660146194373
6	304		HTTPS		mycomputer	/WebResource.axd?d=bxqQ3dLRiCFvjrpK4puvr-tCJdpV52izxrhluYJChQocTBkc3yETGAp3mZYBFIxz9ZUdZ-508sG6KOz-zf4IbWY-Bf0Zr-o9MI-0ycMe_ksc32bBETmY6i_9xrkPNirnuUtexBzamW0KRmUBE-QRJMLI9e7PnQX9YT8I3jbFXdM1&t=634601660146194373

All requests made over HTTPS when only history control is removed from example (no error reported in IE6):

#	Result	Protocol	Host		URL
1	200		HTTPS		mycomputer	/history.aspx
2	200		HTTPS		mycomputer	/WebResource.axd?d=YbVJQ6TDxPBKoVeBVAMvdzSYJ0Y7D9ITwGJsg9MrkPNKIJc7NjvioMEs12hdh-YXsPFsqv_U6D4JRbO0Pr7y2gXr8DsmrHmgTnOUjpgITJyLjLRSKhyC6pxyYzP614OFBBGVBXk1uIrhlalBvjoLoO272jKw-3SGvrJTXhvLs8I1&t=634601660146194373
3	200		HTTPS		mycomputer	/WebResource.axd?d=BP-27ZfA3WoK_vVSFZkur7uLuXY0ekchU65ADBl_zO8pHhoJPYRTYffgmJFRgB5w7itUGU8XKilw5MSazvSnonmErhEZOuaiPzKD5XxtJJP-PVnMSMSkrxvUuWJsSO6w0q_xex-fLqTPQ4OL1IC6Uqye656ZJ2w8QlvwSF4asKU1&t=634601660146194373
4	200		HTTPS		mycomputer	/WebResource.axd?d=1DH1M5UrKCXVm5LYi9cMO8yArA_N6bWGWe4A4OA6-tDCGQZ8y-zJvCIT3rHnNavE1ujIfTHo-b8Mgg-otex116_uB12Ovrtjm8lamH86chVAf2mxnIzg_cVLsCWIbtGGoNo-VqXnF5SwF6LPhRnuKQ2&t=634601660146194373
5	200		HTTPS		mycomputer	/WebResource.axd?d=bxqQ3dLRiCFvjrpK4puvr-tCJdpV52izxrhluYJChQocTBkc3yETGAp3mZYBFIxz9ZUdZ-508sG6KOz-zf4IbWY-Bf0Zr-o9MI-0ycMe_ksc32bBETmY6i_9xrkPNirnuUtexBzamW0KRmUBE-QRJMLI9e7PnQX9YT8I3jbFXdM1&t=634601660146194373

[Daniil]

The bug ticket has been created.
https://extnet.lighthouseapp.com/pro...gs/tickets/247

We are facing some problem with SVN right now and I can't commit the fix.

Here are the changes you can apply to your local sources and rebuild the solution.

1. <Ext.Net SVN root>\Ext.Net\Core\RequestManager.cs

Please add:

public static bool IsSecureConnection
{
    get
    {
        return HttpContext.Current != null && HttpContext.Current.Request.IsSecureConnection;
    }
}

2. <Ext.Net SVN root>\Ext.Net\Core\X.cs

Please add:

public static bool IsSecureConnection
{
    get
    {
        return RequestManager.IsSecureConnection;
    }
}

3. <Ext.Net SVN root>\Ext.Net\Ext\History.cs

Replace the Render method with:

protected override void Render(HtmlTextWriter writer)
{
    base.Render(writer);

    if (!this.IsInForm && this.RenderForm)
    {
        writer.Write("<form id=\"history-form\" class=\"x-hidden\">");
    }
    else
    {
        writer.Write("<div class=\"x-hidden\">");
    }

    string src = X.IsSecureConnection && X.IsIE ? "javascript:''" : "about:blank";

    writer.Write("<input type=\"hidden\" id=\"x-history-field\" />");
    writer.Write(string.Format("<iframe id=\"x-history-frame\" src=\"{0}\"></iframe>", src));

    if (!this.IsInForm && this.RenderForm)
    {
        writer.Write("</form>");
    }
    else
    {
        writer.Write("</div>");
    }
}

4. Build the solution.


Thanks for the report!

[BGRhoades]

Thank you for the quick turn around. As we cannot update to the latest version because of deadlines, this is perfect! I will let you know asap if we have any issues with this fix.

[Daniil]

Thanks for the update. We will wait your feedback on the fix.

[BGRhoades]

I am not having any luck with setting the src property to javascript:'' in the render event. It is emitting that code for secure connections, but I am still getting the mixed content message. I am still searching for alternative src settings. I'm not sure if the "<B></B>" is supposed to be part of the src string, but I tried with and without it.

EDIT: Please wait before further investigation. I have found what I have done wrong and believe the above solution works.

[Daniil]

I'm not sure if the "<B></B>" is supposed to be part of the src string, but I tried with and without it.

Thanks for the report, I missed that.

These "<b></b>" appear in the WYSIWYG editor and I was unable to avoid them. It should be removed in C#.

I am not having any luck with setting the src property to javascript:'' in the render event. It is emitting that code for secure connections, but I am still getting the mixed content message. I am still searching for alternative src settings.

Could you post the page sources how it's rendered to client on your side?