One of our client reported a problem that on some of their site secure pages FireFox displays the “connection partially encrprypted warning” (by showing a small “i” on secure lock icon).
When I first started looking at that problem, I thought it would be something as simple as some page being hosted on the HTTP (using hardcoded URL). I started by looking at the page source in the FireFox page source viewer. As I start looking into it, my head started to spin because looking at the page source (HTML) all the path were either relative or were on HTTPS.
After spending sometime and carefully observing the pages, I found a pattern that the pages with the ASP.Net form and text box controls usually result in this SSL warning. After this clue, I run the HTTP Analyzer and found the issue (I wish I had run it earlier, but it’s never too late). The problem I found was the “WebResource.axd” is being return at the HTTP path. Actually, it’s requested at the HTTPS path, but then the server sends a redirect command to request this file over the HTTP and it causes this warning.
After finding this, I searched with related keywords, and I found a blog which discuss the same problem in much more detail:
The solution was simple. The client was using a custom ASP.Net Handler to toggle between the secure and non-secure modes. http://www.codeproject.com/KB/web-security/WebPageSecurity_v2.aspx
All which was needed to fix the problem was to allow the “WebResource.axd” to be served on the HTTPS too.
The point is when you see such problem, don’t rely on the simple page source. Rather look at the actual HTTP packets (using tools like HTTP Analyzer, Fiddler, etc) and you can solve such problem in minutes.