AI OnAI Off
I think I tried a solution for this, basically you canoverwrite the CDN url. Can't remember how it looks like, but will get back to you.
I think you need to do something like this in application_start or an initiliazation module
https://stackoverflow.com/questions/11949504/scriptmanager-enablecdn-does-not-work-on-ssl
Exactly! The solution in Mark's post is what I sent to another customer.
Adding this to Global.asax/Application_Start
System.Reflection.Assembly ext = typeof(ScriptManager).Assembly; System.Reflection.Assembly web = typeof(HttpApplication).Assembly; ScriptManager.ScriptResourceMapping.AddDefinition("WebForms.js", web, new ScriptResourceDefinition { ResourceName = "WebForms.js", ResourceAssembly = web, CdnPath = "https://ajax.aspnetcdn.com/ajax/4.6/1/WebForms.js", CdnSupportsSecureConnection = true }); ScriptManager.ScriptResourceMapping.AddDefinition("MicrosoftAjax.js", ext, new ScriptResourceDefinition { ResourceName = "MicrosoftAjax.js", ResourceAssembly = ext, CdnPath = "https://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjax.js", CdnSupportsSecureConnection = true }); ScriptManager.ScriptResourceMapping.AddDefinition("MicrosoftAjaxWebForms.js", ext, new ScriptResourceDefinition { ResourceName = "MicrosoftAjaxWebForms.js", ResourceAssembly = ext, CdnPath = "https://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjaxWebForms.js", CdnSupportsSecureConnection = true });
Note that they should change <compilation debug="false" in web.config
We're running Commerce Manager in a load balanced environment. Although the browser requests Commerce Manager over https, the load balancer redirects to non-http, which gives issues with mixed content. This is nicely explained in this article:
https://world.episerver.com/blogs/Quan-Mai/Dates/2017/7/commerce-manager-over-https-on-load-balancer/
The article suggests two things to solve this:
1) Use at least Commerce Manager 10.6.0. We use 11.8 so that should be fine.
2) Configure the header X-Forwarded-Proto to "https" on your load balancer. This we did.
With above solution, Commerce Manager now loads it's own internal scripts and stylesheets over https, so that's great. However Commerce Manager still tries to load cdns over http, as seen here:
Snippet from browser's console log:
"Mixed Content: The page at 'https://cmepiuat03.tst.dsb.dk/Apps/Shell/Pages/default.aspx' was loaded over HTTPS, but requested an insecure script 'http://ajax.aspnetcdn.com/ajax/4.6/1/WebForms.js'. This request has been blocked; the content must be served over HTTPS.
default.aspx:1 Mixed Content: The page at 'https://cmepiuat03.tst.dsb.dk/Apps/Shell/Pages/default.aspx' was loaded over HTTPS, but requested an insecure script 'http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjax.debug.js'. This request has been blocked; the content must be served over HTTPS.
default.aspx:1 Mixed Content: The page at 'https://cmepiuat03.tst.dsb.dk/Apps/Shell/Pages/default.aspx' was loaded over HTTPS, but requested an insecure script 'http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjaxWebForms.debug.js'. This request has been blocked; the content must be served over HTTPS.
ContentFrame.aspx?_a=Catalog&_v=Catalog-List:1 Mixed Content: The page at 'https://cmepiuat03.tst.dsb.dk/Apps/Shell/Pages/default.aspx' was loaded over HTTPS, but requested an insecure script 'http://ajax.aspnetcdn.com/ajax/4.6/1/WebForms.js'. This request has been blocked; the content must be served over HTTPS.
ContentFrame.aspx?_a=Catalog&_v=Catalog-List:1 Mixed Content: The page at 'https://cmepiuat03.tst.dsb.dk/Apps/Shell/Pages/default.aspx' was loaded over HTTPS, but requested an insecure script 'http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjax.debug.js'. This request has been blocked; the content must be served over HTTPS.
ContentFrame.aspx?_a=Catalog&_v=Catalog-List:1"
How to fix this?