I spent some time debuging a ScriptBundle problem last Friday and want to share my experience.
The original code in a MVC project App_Start/BundleConfig.cs file:
- bundles.Add(newScriptBundle("~/bundles/jquery.signalR").Include(
- "~/Scripts/jquery.signalR-{version}.js"));
And in a cshtml file, the bundle is included as:
- @Scripts.Render("~/bundles/jquery.signalR")
In local IIS Express debugging mode, I found no problem. So I deployed to Azure to see if project works in real server. And to my surprise, it reported an error that SignalR is not loaded. The following image from the IE F12 developer tools shows a 404 is returned when getting /bundles/jquery.signalR.
To find out if bundling works locally, I changed project configuration to release, and changed web.config debug="true" to debug="false". Then running the site on IIS Express returns the same 404 as well.
I did a few searches in Bing. First, I went to MSDN documentation on ScriptBundle. Nothing there except I saw the parameter is named as “virtualPath”.
Later I found a forum question talking about IIS Virtual directory won’t work if it has a dot in the name. I also found a stackoverflow question which answer says remove the dot but gave a non-convincing reason. So the solution is to remove the dot from virualPath parameter, and it worked!
Further search for reason shows that IIS by default rejected URLs that have dot in path for security reasons. For example, in URLScan.ini downloaded from http://www.iis.net/learn/extensions/working-with-urlscan/urlscan-setup, it shows:
- AllowDotInPath=0 ; If 1, allow dots that are not file
- ; extensions. The default is 0. Note that
- ; setting this property to 1 will make checks
- ; based on extensions unreliable and is
- ; therefore not recommended other than for
- ; testing.
In ISA server URLScan.ini documentation, it offers more explanation:
By default, this option is set to 0. If this option is set to 0, URLScan rejects any request that contains multiple periods (.). This prevents attempts to disguise requests for dangerous file name extensions by putting a safe file name extension in the path information or query string portion of the URL. For example, if this option is set to 1, URLScan might permit a request for http://servername/BadFile.exe/SafeFile.htm because it interprets it as a request for an HTML page, when it is actually a request for an executable (.exe) file with the name of an HTML page in the PATH_INFO area. When this option is set to 0, URLScan may also deny requests for directories that contain periods.
In summary, looks like for all the MVC/WebAPI routing, don’t put dot in any virtual path to avoid the above problem.