Develop Reference

ASP.NET and IIS with SSL doesn't returns all files because forbidden

I've just add to my site a SSL certificate and setup IIS to redirect all requests to https. After that I have a lot of issues with the site because the browser shows errors like
HTTP403: FORBIDDEN - The server understood the request, but is refusing to fulfill it.
This error is mainly for JavaScript files and images. Here a screenshot of Microsoft Edge DevTools.
I googled a bit and some people complained because Microsoft Edge doesn't work properly. Then I tried with Firefox and I noticed another strange thing: the site is working fine but there are a lot of 403 in the Developer Tools`.
I tried to add in the web.config a generic authorization for all users to the Scripts folder. Nothing changed.
<location path="Scripts">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Do you have any helps?

HTTP 403: FORBIDDEN could be caused due to number of reasons. You may need to try below options if any of these worked or causing issue:
1) Check if it is coming in all the browser.
2) Clear Cache and Cookies of the browser and then try again.
3) Check for Content Security Policy for safe access of resources
4) Check for file permissions in your wwwroot folder
5) More you can check in below link ....
CSS, Images, JS not loading in IIS

Safari won't load some resources over http/2

Http/2 is enabled on server and yesterday I noticed that on Iphone (IOS 10.2) does not load some resources with error:failed to load resource:connecting to server is not possible. When I connect Iphone to Mac there are no errors in console but simply result of some requests result imidiatelly in that error. Interesting thing could be the fact that resources which are not loaded are subdomain of real domain( CNAME to be correct). Site is on https.
Server is Windows server 2016.
EDIT:
We resolved this subdomain problem, but still there are requests from same domain that are not responding with any response.
I know IOS > 9.3 supports http/2 when resources are loaded over https but thing that resources which not working are not part of that domain could help to resolve this problem but I don't know how.
I know that probably problem is related to http/2 protocol because my android native appliacation also stopped working with error : java.io.IOException: stream was reset: PROTOCOL_ERROR . I resolved that problem by forcing my application to use http/1. Now works. But how to resolve that iphone safari problem?
I'm using ASP.NET Web Forms as backend (which supports http2 since ASP.NET 4.6 which I'm using).

It seems that solution has been found. After few days of investigating disabling dynamic content compression helped.

The answer has already been correctly provided here above by Vlado Pandžić.
I cannot comment as I am new on this site, but I wanted to add something I found.
IOS less than version 11 does support HTTP/2. BUT! It will get stuck if the page is too big and compressed. I'm not sure what the cut-off is, but if you open a small page which has dynamic compression (Gzip or whatever) it will work fine. ASP or PHP etc, doesn't matter. Once the page reaches a compressed data size which requires multiple round-trips to pull the data, then Safari gets it's knickers in a twist.
It will literally go into an endless loop, hammering your server with requests. I was seeing thousands of page hits while Safari was just stuck on a blank white screen.
The problem for me, is that disabling dynamic compression on your entire website will result in penalties from Google for mobile-friendliness. Google wants you to have compression on, but you have to disable it for Safari, which sucks.
My solution to this was the enable dynamic compression on the entire website, but I used web.config file to disable it for specific pages which I know can be quite large in size.
<location path="large-page.aspx">
<system.webServer>
<urlCompression doDynamicCompression="false" />
</system.webServer>
</location>
Good luck!
Matt

You can also disable gZip and use brotli instead for compression, older versions of Safari don't support it so it seems to work.
https://github.com/saucecontrol/Brotli-IIS

This is quite an old thread, however, there's a better answer if you need don't want to cut off old iOS devices than disabling all compression for either this site (accepted answer) or for all browsers for a given resource (Matt Deemer).
A URL Rewrite rule can disable compression just for the resources and browsers that matter.
Recently, I wanted to move an established Classic ASP site, which can serve large, dynamically created resources, to HTTP/2.
The following rule allowed everyone but old WebKit versions to get the content compressed.
<rule name="No compression for old WebKit">
<match url="^(.+\.asp.*)" />
<conditions>
<add input="{HTTP_USER_AGENT}" pattern="AppleWebKit\/60[0-3]" />
</conditions>
<serverVariables>
<set name="HTTP_ACCEPT_ENCODING" value="none" />
</serverVariables>
<action type="Rewrite" url="{R:1}" />
</rule>
NOTES: WebKit/604 and greater do not have the http/2 - compression issue.
url-rewriteclassic-asp

Adding a CSP to a Firefox extension's own HTML page

I have a Firefox extension displaying its own HTML page via a chrome:// url, and scripts in it are running with chrome privileges. For users' security, I want to add a Content Security Policy to this page.
The obvious thing to do is to add it via <meta> tag, but that's not yet supported in Firefox (bug 663570). Update: Bug 663570 was fixed in Firefox 45, but my attempts to use a tag caused Firefox to crash. Bug 923902 seems to be the new bug to watch.
Is there any way to implement a CSP right now? Some way to fake the appropriate HTTP header for a chrome:// URL?

I asked this question waaay back in the days of XUL add-ons, which are long gone - in this era of WebExtensions, I could define a CSP in manifest.json, although the default CSP is plenty secure.

Forms auth redirecting css/script includes to the login page with HTTP 302

I have some includes on a login page, a css file and a js file.
<link rel="stylesheet" type="text/css" href="../../ext/resources/css/ext-all.css" />
<script type="text/javascript" src="../../ext/bootstrap.js"></script>
the requests the browser makes for these get the 302 response. Forms Auth is seeing the request as unauthorized and redirecting them to the login page. It doesn't realise that the requests are coming from the login page in the first place.
GET http://localhost:50880/ext/resources/css/ext-all.css HTTP/1.1
HTTP/1.1 302 Found
<html><head><title>Object moved</title></head><body>
<h2>Object moved to here.</h2>
</body></html>
I thought perhaps setting the permissions of the includes folder (ext) to everyone might help.

I had the same problem. Here's how I solved it.
In IIS7, click on your website, then double-click the Authentication button.
Click on Anonymous Authentication, then click the Edit... link on the right hand side.
Make sure the "Application pool identity" checkbox is checked.
My application pool is running under the "Network Service" user (not "ApplicationPoolIdentity"). You can choose the Identity in the Advanced Settings of your application pool in IIS. This user has been given full access to the file system for the website.

You need to exclude the css files and images from getting authenticated as following in the configuration file. Using the location tag you can exclude a single file or a directory.
<location path="<RELATIVE_PATH_OF_YOUR_RESOURCE_FILES>">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>

So, here's what I did that entirely solved the issue.
First, I made the change to the web.config like everyone else said to do.
I am using Anonymous Authentication in IIS, and as stated in this issue, I went into IIS > Application Pools > Right-clicked my application pool > Edit > changed the app pool to use the Application Pool Identity.
THEN - I went to the parent folder that contains my site, went into permissions for that folder, and added the server's NETWORK SERVICE account to access the folder. That did it for me. It's because the Application Pool is running under ApplicationPoolIdentity, which is the NETWORK SERVICE account on the local machine.
Hope this helps someone!

The issue I had on this was that I had downloaded a jquery plugin from the internet and copied it into my content directory on the webserver and Windows had all the files under it blocked so that they couldn't be access properly by the webserver. Unblocking the files in Windows solved the issue.

Late answer here, but I wanted to help shed some light on this IISsue. (see what I did?)
First, I want to say that David Conlisk's answer is the sure-fire-nail-it-in-the-head-fix-it-every-time answer. But in case you're like me and have deployed many applications with Forms and Anonymous auth where the Anonymous Auth Identity is set to IUSR and all the sudden I'm seeing this problem now, then listen to how I reproduced the issue and hopefully be spared from the same plight.
My standard practice is to have my web application's AppPoolIdentity run as Network Service. Then I just go to the actual directory on disk that the virtual directory is pointing to -> right click -> Properties -> Security Tab -> Edit -> Add the Network Service User -> Grant read/write permissions.
Then I enable Anonyous Authentication on the directories that I need (js, css, etc.) The app pool identity is IUSR by default.
OK. Now all of the sudden in my dev environment, I start getting 302 forms auth redirects on all my css and js! What happened? I did an SVN switch on my web application to a different branch in source control. Ugh. It completely jacked all of my on disk permissions for every single file. The only way I've ever been able to fix it is to delete the whole web app, and do a fresh checkout and re-apply Network Service read permissions (or apply permissions on every single file... and yes I've tried removing and re-adding the permissions on the parent level folder).
So this time, I decide "hell with it. I'm running my web app as Local System. That will show the disk permissions whose boss. This has worked for me from time to time as a short term workaround." But alas, not today. I swear to you that before my eyes I am looking at two deployments of a forms auth web app with exactly the same configuration and the 302 issue is only reproducing on my dev machine. The only difference is the recent SVN switch on my machine.
As soon as I Log in and get a Forms Auth Cookie, the js and css download just fine.
Bear with me, I've just made a shocking discovery. All of the servers I have this deployed on have read permissions granted to MACHINE_NAME\Users. And my dev machine does not. Once I added that to my dev machine, I was able to download my css.
TLDR;
Moral of the story is you can keep the Anonymous Auth Identity as IUSR, but then you have to grant all users read permissions on your web app on disk.
Since this is a bad idea (for security reasons), I'm going to make it my new practice to adopt David C's answer and make the Anonymous Auth Identity run as the application pool identity.

Trying to set security on Controllers and Content

So I am having this issue of getting CSS files applied through the masterpage. I had another question: Can't get CSS loaded in Master page that helped me to apply the link tag correctly (or different options).
This is confirmed in Firebug where the call is coming back 302 found, but the styles are not being applied.
This question lead to another contributor pointing out possible access issues to the controller/content in my Web.config. Thus the reason for this question separate "Security" related question.
I have went through a number of full MVC app tutorials such as NerdDinner (v.1, v.2) and Pro MVC 2's not to mentioned a good bit of reading material in my pursuit to learn ASP.NET MVC - and I have not come across any details on access to sources such as /Content to anonymous users just to load css files. Nor have I read anything that MVC takes the approach that it is entirely locked down and you must open specific areas to specific roles/users/everyone OR open it all up for everyone.
So I still have the problem of not being able to get CSS rules applied even though it shows that the .css file is being found (302). But another issue is that I am seeing a second call to load the file in the console:
localurl.com/Account/Logon?ReturnURL=%2Content%2AdminViews.css
But errors with a 500.
Now I have commented out the logon URL line in my web.config "Authentication" section, and there is no route that I can see in my route dictionary.
Any thoughts on both of these related issues?
UPDATE
I found that the problem with why the redirection to the
localurl.com/login.aspx?returnurl=content/adminview.css
was that theforms authentication (in IIS) was enabled with the properties set to "Login.aspx". Changing this generated an ACL rights (yellow screen of death) when accessing the file directly
localurl.com/contents/adminview.css
I found adding users to the content directory (i.e. IUSR account) would rectify this issue.
So I now need to find what the proper way to set security. What account I should use ...etc. I did already have the IUSR_ComputerName already given access, which my understanding is the default IIS anonymous user account. So why this wouldn't be enough to access resources in the ~/contents/ directory is beyond me.

You could allow access to these resources using web.config.
<location path="Content">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>