HTTPS security is compromised by ASP.NET Ajax client-side framework

Question

I have a ScriptManager in my aspx ASP.NET web page.

If I use the following

<asp:ScriptManager EnablePartialRendering="true" AsyncPostBackTimeOut="300"
        ID="ScriptManager1" runat="server" />

I see the following errors in the browser

Uncaught Error: ASP.NET Ajax client-side framework failed to load. Uncaught ReferenceError: Sys is not defined

when I add EnableCdn="true" then I get a warning about the mixed content that reads

HTTPS security is compromised by http://ajax.aspnetcdn.com/ajax/4.6/1/WebForms.js ... and by http://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjax.debug.js

Of course if I force loading, it eventually works, but this is very far from ideal.

I also don't understand how the issue has arisen in a porting from Windows Server 2012 to Windows Server 2016 with respective versions of IIS 8 and 10. Apparently, in the original server, the same code works fine - even without EnableCdn="true" - and all those requests seem to be managed in https as expected.

After the accepted solution

Almost all went well. What I've done is adding the following lines inside the Global.asax.cs:

    protected void Application_Start(object sender, EventArgs e)
    {
        //....
        var defAjaxForms = new ScriptResourceDefinition();
        defAjaxForms.CdnPath = "https://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjaxWebForms.debug.js";
        defAjaxForms.CdnDebugPath = "https://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjaxWebForms.debug.js";
        defAjaxForms.CdnSupportsSecureConnection = true;
        defAjaxForms.Path = "~/Scripts/WebForms/MicrosoftAjaxWebForms.debug.js";//local resource
        defAjaxForms.DebugPath = "~/Scripts/WebForms/MicrosoftAjaxWebForms.debug.js";
        ScriptManager.ScriptResourceMapping.AddDefinition("MicrosoftAjaxWebForms.js", defAjaxForms);
        var defAjax = new ScriptResourceDefinition();
        defAjax.CdnPath = "https://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjax.js";
        defAjax.CdnDebugPath = "https://ajax.aspnetcdn.com/ajax/4.6/1/MicrosoftAjax.js";
        defAjax.CdnSupportsSecureConnection = true;
        defAjax.Path = "~/Scripts/WebForms/MicrosoftAjax.js";//local resource
        defAjax.DebugPath = "~/Scripts/WebForms/MicrosoftAjax.js";
        defAjax.LoadSuccessExpression = "window.Sys && Sys._Application && Sys.Observer";
        ScriptManager.ScriptResourceMapping.AddDefinition("MicrosoftAjax.js", defAjax);
        var defForms = new ScriptResourceDefinition();
        defForms.CdnPath = "https://ajax.aspnetcdn.com/ajax/4.6/1/WebForms.js";
        defForms.CdnDebugPath = "https://ajax.aspnetcdn.com/ajax/4.6/1/WebForms.js";
        defForms.CdnSupportsSecureConnection = true;
        defForms.Path = "~/Scripts/WebForms/WebForms.js";
        defForms.DebugPath = "~/Scripts/WebForms/WebForms.js";
        defForms.LoadSuccessExpression = "window.Sys && Sys._Application && Sys.Observer";
        ScriptManager.ScriptResourceMapping.AddDefinition("WebForms.js", defForms);
    }

The only thing that is still KO is the WebForms.js: I'm still getting

... was loaded over HTTPS, but requested an insecure script 'http://ajax.aspnetcdn.com/ajax/4.6/1/WebForms.js'. This request has been blocked; the content must be served over HTTPS.

Final Solution

Finally I applied this answer (notice that they define ResourceName and ResourceAssembly instead of Path and DebugPath) with all http:// replaced by https://

Answer 1

You can configure ScriptManager mapping in Code Behind. Something like this. Page_PreRender is good place for it.

Dim def As New ScriptResourceDefinition()
def.CdnPath = "https://ajax.aspnetcdn.com/ajax/4.0/1/MicrosoftAjax.js"
def.CdnDebugPath = "https://ajax.aspnetcdn.com/ajax/4.0/1/MicrosoftAjax.js"
def.CdnSupportsSecureConnection = True
def.Path = "~/js/lib/MicrosoftAjax.js" ''//local resource
def.DebugPath = "~/js/lib/MicrosoftAjax.js"
def.LoadSuccessExpression = "window.Sys && Sys._Application && Sys.Observer"
ScriptManager.ScriptResourceMapping.AddDefinition("MicrosoftAjax.js", def)