Skip to main content

Resolving the HTTP/HTTPS “Document contains both secure/unsecure content” message

One of the most commonly encountered issues when developing websites that must support both HTTP and HTTPS pages is the warning that a secure page “contains both secure and unsecure content”. In a nutshell this is when a page that is being displayed via the HTTPS protocol contains one or more references to additional resources (JS/CSS/Images) using just HTTP.

The solution is easy and well documented for locally referenced resources, in that when making the reference to the required file you exclude the protocol and domain name ending up with something like “/styles/main.css”, which will quite happily call “main.css” from a “styles” folder in the root of the web application regardless of whether the containing page is being called by HTTP or HTTPS.

Note: .NET provides functionality such as ResolveUrl(“~/styles/main.css”) which should always be used in preference to hard coded paths such as “/styles/main.css”. Using ResolveUrl(…) will work regardless whether in IIS the web application has been set up as a website or a child application of the parent website. However the hardcoded path will always default to the root of the website, so if your web application has been deployed within IIS as a child application of a website you will typically see lots of 404’s as the browser is unable to locate the resources using the URL provided.

Typically externally referenced resources have proved more troublesome. I’ve seen quick and dirty solutions that always call external references via HTTPS. This gets around the warning when viewing the calling page in HTTPS, but introduces additional processing/overheads when viewing the referencing page in HTTP. More typically the URL for the required external resource is passed to a helper functional which determines which protocol to add depending upon whether the containing page is HTTP or HTTPS.

But it would appear that all the solutions for resolving the protocol for externally referenced resources were over-engineered! Under the section A Better Solution, Dave Ward provides a solution that is pretty much identical to the tried and tested internally referenced resource solution. Basically the RFC 3986 spec allows resources to be referenced using a protocol-less format. So instead of worrying whether you should be calling “http://cdn.domain/common-resouce.js” or “https://cdn.domain/common-resouce.js”, you can just call “//cdn.domain/common-resouce.js” and the protocol to be used for the external reference is determined by the protocol context of the containing page! Thanks for highlighting this Dave, much easier!

Comments

Popular posts from this blog

Mocking HttpCookieCollection in HttpRequestBase

When unit testing ASP.NET MVC2 projects the issue of injecting HttpContext is quickly encountered.  There seem to be many different ways / recommendations for mocking HttpContextBase to improve the testability of controllers and their actions.  My investigations into that will probably be a separate blog post in the near future but for now I want to cover something that had me stuck for longer than it probably should have.  That is how to mock non abstract/interfaced classes within HttpRequestBase and HttpResponseBase – namely the HttpCookieCollection class.   The code sample below illustrates how it can be used within a mocked instance of HttpRequestBase.  Cookies can be added / modified within the unit test code prior to being passed into the code being tested.   After it’s been called, using a combination of MOQ’s Verify and NUnit’s Assert it is possible to check how many times the collection is accessed (but you have to include the set up calls) and that the relevant cookies have …

Injecting HttpContextBase into an MVC Controller

It is a shame that when the ASP.NET MVC framework was released they did not think to build IoC support into the infrastructure. All the major components of the MVC engine appear to magically inherit instances of HttpContext and it’s related objects – which can cause no end of problems if you are trying to utilise Unit Testing and IoC. Reading around various articles on the subject just to get around this one problem requires the implementation of several different concepts and you are still left with a work around. The code below, along with the other links referenced in this article is my stab at resolving the issue. There’s probably nothing new here, but it does attempt to relate all the information needed to do this for Castle Windsor. The overview is that all controllers will need to inherit from a base controller, which takes an instance of HttpContext into it’s constructor. It then overrides the property HttpContext in the main controller class, supplying it’s own version…

Problem installing AWS CLI

It never feels like a good start when you're trying to start out with something and the install fails with an obscure error! I was just trying to install the Amazon CLI following the instructions at https://aws.amazon.com/cli/ and ran into the following error when running 'pip install awscli': Collecting awscli Could not find a version that satisfies the requirement awscli (from versions: ) No matching distribution found for awscli I appeared to have a correct version of Python installed (v2.7) and checking "PIP -v" indicated that 9.0.1 was installed. That all seemed to tick the required boxes but digging around a little more I did see that some people had had issues with various versions of PIP so I found / ran the following to upgrade to the latest vesion: curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py python get-pip.py This installed v9.0.3 of PIP which burst into life when I re-ran 'pip install awscli' and everything seems to be ok. Like…