ASP.NET Ajax 客户端框架危及 HTTPS 安全性

HTTPS security is compromised by ASP.NET Ajax client-side framework

我的 aspx ASP.NET 网页中有一个 ScriptManager。

如果我使用下面的

<asp:ScriptManager EnablePartialRendering="true" AsyncPostBackTimeOut="300"
        ID="ScriptManager1" runat="server" />

我在浏览器中看到以下错误

Uncaught Error: ASP.NET Ajax client-side framework failed to load. Uncaught ReferenceError: Sys is not defined

当我添加 EnableCdn="true" 时,我收到一条关于混合内容的警告

HTTPS security is compromised by http://ajax.aspnetcdn.com/ajax/4.6/1/WebForms.js ... and by http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjax.debug.js

当然,如果我强制加载,它最终会起作用,但这远非理想。

我也不明白在从 Windows Server 2012 移植到 Windows Server 2016 以及相应版本的 IIS 8 和 10 时问题是如何出现的。显然,在原始服务器中,相同的代码工作正常 - 即使没有 EnableCdn="true" - 所有这些请求似乎都按预期在 https 中进行管理。

接受解决方案后

几乎一切顺利。 我所做的是在 Global.asax.cs:

中添加以下行 
    protected void Application_Start(object sender, EventArgs e)
    {
        //....
        var defAjaxForms = new ScriptResourceDefinition();
        defAjaxForms.CdnPath = "https://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjaxWebForms.debug.js";
        defAjaxForms.CdnDebugPath = "https://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjaxWebForms.debug.js";
        defAjaxForms.CdnSupportsSecureConnection = true;
        defAjaxForms.Path = "~/Scripts/WebForms/MicrosoftAjaxWebForms.debug.js";//local resource
        defAjaxForms.DebugPath = "~/Scripts/WebForms/MicrosoftAjaxWebForms.debug.js";
        ScriptManager.ScriptResourceMapping.AddDefinition("MicrosoftAjaxWebForms.js", defAjaxForms);
        var defAjax = new ScriptResourceDefinition();
        defAjax.CdnPath = "https://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjax.js";
        defAjax.CdnDebugPath = "https://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjax.js";
        defAjax.CdnSupportsSecureConnection = true;
        defAjax.Path = "~/Scripts/WebForms/MicrosoftAjax.js";//local resource
        defAjax.DebugPath = "~/Scripts/WebForms/MicrosoftAjax.js";
        defAjax.LoadSuccessExpression = "window.Sys && Sys._Application && Sys.Observer";
        ScriptManager.ScriptResourceMapping.AddDefinition("MicrosoftAjax.js", defAjax);
        var defForms = new ScriptResourceDefinition();
        defForms.CdnPath = "https://ajax.aspnetcdn.com/ajax/4.6/1/WebForms.js";
        defForms.CdnDebugPath = "https://ajax.aspnetcdn.com/ajax/4.6/1/WebForms.js";
        defForms.CdnSupportsSecureConnection = true;
        defForms.Path = "~/Scripts/WebForms/WebForms.js";
        defForms.DebugPath = "~/Scripts/WebForms/WebForms.js";
        defForms.LoadSuccessExpression = "window.Sys && Sys._Application && Sys.Observer";
        ScriptManager.ScriptResourceMapping.AddDefinition("WebForms.js", defForms);
    }

唯一仍然被 KO 的是 WebForms.js:我还在

... was loaded over HTTPS, but requested an insecure script 'http://ajax.aspnetcdn.com/ajax/4.6/1/WebForms.js'. This request has been blocked; the content must be served over HTTPS.

最终解决方案

最后我应用了 this answer(注意他们定义了 ResourceNameResourceAssembly 而不是 PathDebugPathwith all http:// 替换为 https://

您可以在代码隐藏中配置 ScriptManager 映射。像这样的东西。 Page_PreRender 是个好地方。

Dim def As New ScriptResourceDefinition()
def.CdnPath = "https://ajax.aspnetcdn.com/ajax/4.0/1/MicrosoftAjax.js"
def.CdnDebugPath = "https://ajax.aspnetcdn.com/ajax/4.0/1/MicrosoftAjax.js"
def.CdnSupportsSecureConnection = True
def.Path = "~/js/lib/MicrosoftAjax.js" ''//local resource
def.DebugPath = "~/js/lib/MicrosoftAjax.js"
def.LoadSuccessExpression = "window.Sys && Sys._Application && Sys.Observer"
ScriptManager.ScriptResourceMapping.AddDefinition("MicrosoftAjax.js", def)