IE：HTTPS安全性受到res：//ieframe.dll/sslnavcancel.htm的攻击 [英] IE: HTTPS security is compromised by res://ieframe.dll/sslnavcancel.htm

问题描述

我正在开发一个拥有许多仅限HTTPS的电子商务应用程序。这个特殊的错误只发生在IE中（至少10个，没有尝试过其他的），它只发生在整个应用程序的一个HTTPS页面上。

I'm working on an ecommerce application that has many HTTPS-only areas. This particular error only happens in IE (10 at least, haven't tried others) and it only happens on one HTTPS page in the entire application.

来自研究，我收集这是IE的混合内容警告。这非常令人困惑，因为IE是唯一对此页面有任何问题的浏览器。所有其他相关浏览器都不会抱怨任何混合内容。

From research, I gather this is IE's mixed-content warning. This is very confusing because IE is the only browser that has any issue with this page. All other relevant browsers don't complain about any mixed content.

任何人都可以了解一下sslnavacancel.htm是什么？或者，如何进一步深入了解可能导致此问题的资源？

Can anyone shed some light on what sslnavacancel.htm is? Or, how to drill down further to get an idea of what resource may be actually causing this problem?

提前致谢。

推荐答案

问题： res：//ieframe.dll/sslnavcancel.htm 是一个嵌入式HTML资源在ieframe.dll中，在IE中显示给用户，表明某些资源因为使用无效证书签名而被阻止。由于各种原因，证书可能被视为无效，包括证书是否已过期，或证书中的主机名与实际用于获取资源的主机名之间是否不匹配。

Issue: res://ieframe.dll/sslnavcancel.htm is an embedded HTML resource in ieframe.dll that is displayed in IE to users to indicate that some resource was blocked because it was signed with an invalid certificate. A certificate may be considered invalid for a variety of reasons including if the certificate has expired or if there's a mismatch between the hostname in the certificate and the hostname actually used to obtain the resource.

解决方案：您可以尝试在HTTP调试代理中安装 Fiddler 并在测试时运行您在IE10的网站。 Fiddler在您的浏览器和HTTP服务器之间作为HTTP代理，并且（在许多其他事情中）将告知您获得的任何资源是否具有无效的证书。启动Fiddler，转到工具| Fiddler选项| HTTPS，选中Capture HTTPS CONNECTs，检查Decrypt HTTPS流量，并确保未选中忽略服务器证书错误。重新启动Fiddler，在IE中访问您的网站，然后检查Fiddler的日志视图，查看无效证书的资源。

Solution: You can try installing Fiddler the HTTP debugging proxy and running that while testing your website in IE10. Fiddler sits as an HTTP proxy between your browser and HTTP servers and (among many other things) will let you know if any resource obtained has an invalid certificate. Start Fiddler, go to Tools|Fiddler Options|HTTPS, check Capture HTTPS CONNECTs, check Decrypt HTTPS traffic, and ensure 'Ignore server certificate errors' is unchecked. Restart Fiddler, visit your website in IE, and then examine Fiddler's log view for resources with invalid certificates.

这篇关于IE：HTTPS安全性受到res：//ieframe.dll/sslnavcancel.htm的攻击的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！