WebResource.axd going over HTTP when you are browsing on HTTPS
Sherlock Homes once said "It is a capital mistake to theorize before one has data". Being in the business of troubleshooting, I for one, believe in this. I ran into a similar problem recently where we made assumptions based on some vague facts rather than actual data. The problem was straightforward, customer was using SSL and when he hit the web page using FireFox over HTTPS he would see the following message in the status bar.
Connection Partially Encrypted
Parts of the page you are viewing were not encrypted before being transmitted over the Internet.
Information sent over the Internet without encryption can be seen by other people while it is in transit.
He was using the built in Validation Controls for an ASP.NET 2.0 website and after some research the customer himself had found out that the somehow the WebResource.axd was tied up with the whole thing. The customer had also tested this in Internet Explorer and he wasn't getting any such error message.
So when the Support Engineer who got this call first heard about this problem, he jumped to the conclusion that there was nothing we could do about this since it was something to do with FireFox not trusting the content of the web page. So he called into the IIS team to see if we can do something from the "server side" of the things to fix this problem.
At this point I would like to point out a minor problem which lead us into a completely wrong direction. The IIS engineer who got the call may have been hitting the www.asp.net site and he found out that when we go to the page https://forums.asp.net/user/createuser.aspx for creating a user account, we get a similar message in FireFox. So he theorized that since this wasn't working on one of our sites, it probably is a problem with FireFox rather than anything to do with the WebResource.axd. So was the message give to the customer.
When I stepped in to look at this problem, the customer had already been provided a workaround where he was asked to force SSL in his website. If you already have SSL certificate installed we can do this by going to the Internet Information Services, go to the properties of the website and click on the "Edit" button. You will see an option in there to choose "Require secure channel(SSL)" and choose 128 bit encryption under it. I talked to the customer and also pointed out that this is not a problem with FireFox, but if we have the setting "Warn if changing between secure and not secure mode" selected in Internet Explorer (under Tools-->Options-->Advanced) we would get a similar kind of message that says
This page contains both secure and nonsecure items.
Do you want to display the nonsecure items?
Honestly speaking I am not an expert on IIS, in fact I would put myself in the group of novice users who just know how to run ASP/ASP.NET on IIS and maybe some minor details surrounding it. I was completely convinced with the idea that maybe we just need to enforce SSL to make everything run over HTTPS. But after I got off the call with the customer I started thinking that maybe there was something we missed out and went back and reviewed some research logs added by another SE and an Escalation Engineer which basically said that this needs more investigation with some pointers. I then setup a simple Repro where I had a ASPX page with a validation control thrown in and browsed it over HTTPS from a different machine and like I suspected I never got the above message in IE or FireFox. This obviously wasn't something we would call "by design". Just to ensure I was on the right track I checked with the source code of ASP.NET to ensure that we aren't issuing any Redirects from there for caching etc and we weren't, so there was something else that was amiss.
I would like to circle back a bit here, since there is another detail that I omitted on purpose. This was about getting the network traffic. I had previously installed Fiddler2 Tool installed to look at the network traffic and here is how it looked when I see the WebResource.axd in there.
So if you look at the trace above, you can see that there was first a HTTPS request for the WebResource.axd and then there is a 302 indicating a redirect and we have a 200 OK for the resource. I was getting a similar kind of traffic for the customers website as well.
After some additional digging it turned out that the customer had a custom HttpModule that would allow automatic switching between HTTP and HTTPS protocol. It also had a configuration section where we could define the pages that will run on SSL. We added the WebResource.axd to this list and that solved the problem.
