Ticket #680 (closed defect: wontfix)
Mixed content: HTTP content on HTTPS version of site
| Reported by: | chris | Owned by: | sam |
|---|---|---|---|
| Priority: | minor | Milestone: | Maintenance |
| Component: | Drupal modules & settings | Keywords: | |
| Cc: | sam, ed, paul, ben, annesley | Estimated Number of Hours: | 0.0 |
| Add Hours to Ticket: | 0 | Billable?: | yes |
| Total Hours: | 6.12 |
Description
The front page of the site contains the following elements using HTTP when accessing the site using HTTPS:
<div class="views-field-field-slide-image-fid">
<span class="field-content"><img src="http://www.transitionnetwork.org/sites/www.transitionnetwork.org/files/imagecache/slideshow_660/images/slides/capture1.jpg" alt="" title="" width="700" height="306" class="imagecache imagecache-slideshow_660 imagecache-default imagecache-slideshow_660_default"/></span>
</div>
<div class="views-field-field-slide-destination-link-url">
<span class="field-content"><a href="http://www.transitionnetwork.org/about" 0="a:0:{}" class="learn">Learn more about Transition Network »</a></span>
</div>
<div class="views-field-field-slide-image-fid">
<span class="field-content"><img src="http://www.transitionnetwork.org/sites/www.transitionnetwork.org/files/imagecache/slideshow_660/images/slides/clay.jpg" alt="" title="" width="700" height="306" class="imagecache imagecache-slideshow_660 imagecache-default imagecache-slideshow_660_default"/></span>
</div>
<div class="views-field-field-slide-destination-link-url">
<span class="field-content"><a href="http://www.transitionnetwork.org/blogs/rob-hopkins/2014-01/can-earth-building-scale-mainstream-1-clayworks-and-clay-plasters" 0="a:0:{}" class="learn">Read more here »</a></span>
</div>
<div class="views-field-field-slide-image-fid">
<span class="field-content"><img src="http://www.transitionnetwork.org/sites/www.transitionnetwork.org/files/imagecache/slideshow_660/images/slides/frack3.jpg" alt="" title="" width="700" height="306" class="imagecache imagecache-slideshow_660 imagecache-default imagecache-slideshow_660_default"/></span>
</div>
<div class="views-field-field-slide-destination-link-url">
<span class="field-content"><a href="http://www.transitionnetwork.org/blogs/rob-hopkins/2014-01/6-reasons-why-theres-no-community-fracking" 0="a:0:{}" class="learn">Read more here »</a></span>
</div>
<div class="views-field-field-slide-image-fid">
<span class="field-content"><img src="http://www.transitionnetwork.org/sites/www.transitionnetwork.org/files/imagecache/slideshow_660/images/slides/pc1.jpg" alt="" title="" width="700" height="306" class="imagecache imagecache-slideshow_660 imagecache-default imagecache-slideshow_660_default"/></span>
</div>
<div class="views-field-field-featured-image-fid">
<span class="field-content"><a href="/news/2013-12-17/november-and-december-round-what-s-happening-out-world-transition" class="imagecache imagecache-featured_image_thumb imagecache-linked imagecache-featured_image_thumb_linked"><img src="http://www.transitionnetwork.org/sites/www.transitionnetwork.org/files/imagecache/featured_image_thumb/chilesml.jpg" alt="Chile Transition Training" title="Chile Transition Training" width="150" height="101" class="imagecache imagecache-featured_image_thumb"/></a></span>
</div>
Would it be possible to embed content from the site using URLS like /sites/www.transitionnetwork.org/files/imagecache/featured_image_thumb/chilesml.jpg rather than http://www.transitionnetwork.org/sites/www.transitionnetwork.org/files/imagecache/featured_image_thumb/chilesml.jpg ?
Changing these links would result in the mixed content warnings in browsers going away.
By default Firefox doesn't block HTTP content over HTTPS connections, however you can enable this by entering about:config in the URL bar are searching for mixed_content and then changing security.mixed_content.block_display_content to true if you want to see how the site looks when only secure content is loaded.
I have checked that the site does set the secure flag on the authentication cookie, so the mixed content shouldn't result in the authentication cookie being sent with unencrypted requests.
Further information:
Attachments
Change History
comment:1 Changed 3 years ago by chris
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 0.0 to 0.25
comment:3 Changed 3 years ago by sam
Investigating this the images are uploaded in the form here:
https://www.transitionnetwork.org/node/35316/edit?destination=admin%2Fcontent%2Fnode
Looking at the image settings I can't yet see a way for the images to be put on a httpS url: https://www.transitionnetwork.org/admin/settings/uploads
comment:4 Changed 3 years ago by sam
So images can be accessed on httpS : https://www.transitionnetwork.org/sites/www.transitionnetwork.org/files/imagecache/slideshow_660/images/slides/pc1.jpg
It's just a question of working out how to edit the form to use URL's such as:
/sites/www.transitionnetwork.org/files/imagecache/featured_image_thumb/chilesml.jpg
comment:5 Changed 3 years ago by sam
Slide image path setting is here:
https://www.transitionnetwork.org/admin/content/node-type/slide/fields/field_slide_image
I'll try editing this path on stg2.transitionnetwork.org
comment:6 Changed 3 years ago by sam
Hmm that won't work of course because I can't access httpS://stg2.transitionnetwork.org/
Bit reluctant to change the path on the live site in case I break the existing images.
comment:7 Changed 2 years ago by chris
- Cc paul, ben, annesley added; jim removed
- Add Hours to Ticket changed from 0.0 to 0.12
- Total Hours changed from 0.25 to 0.37
After upgrading BOA, ticket:775 I loaded the front page and the slideshow was working via HTTPS:
<div class="views_slideshow_singleframe_slide views_slideshow_slide views-row-3 views_slideshow_singleframe_hidden views-row-odd" id="views_slideshow_singleframe_div_slideshows-panel_pane_1_2"><div class="views-row views-row-0 views-row-first views-row-odd">
<div class="views-field-field-slide-image-fid">
<span class="field-content"><img src="https://www.transitionnetwork.org/sites/www.transitionnetwork.org/files/imagecache/slideshow_660/images/slides/sign5.jpg" alt="" title="" width="700" height="306" class="imagecache imagecache-slideshow_660 imagecache-default imagecache-slideshow_660_default"/></span>
</div>
...
I then logged out and it wasn't.
<div id="views_slideshow_singleframe_main_slideshows-panel_pane_1" class="views_slideshow_singleframe_main views_slideshow_main"><div id="views_slideshow_singleframe_teaser_section_slideshows-panel_pane_1" class="views_slideshow_singleframe_teaser_section"><div class="views_slideshow_singleframe_slide views_slideshow_slide views-row-1 views-row-odd" id="views_slideshow_singleframe_div_slideshows-panel_pane_1_0"><div class="views-row views-row-0 views-row-first views-row-odd">
<div class="views-field-field-slide-image-fid">
<span class="field-content"><img src="http://www.transitionnetwork.org/sites/www.transitionnetwork.org/files/imagecache/slideshow_660/images/slides/sea.jpg" alt="" title="" width="700" height="306" class="imagecache imagecache-slideshow_660 imagecache-default imagecache-slideshow_660_default"/></span>
</div>
...
The way to test this is to go to about:config in Firefox and then set security.mixed_content.block_display_content to true and then logout of the site and the slideshow images won't show on the front page.
comment:8 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.125
- Total Hours changed from 0.37 to 0.495
Sam,
Would you provide a couple of screenshots before and after. Was this working immediately before the BOA upgrade / Drupal update?
Changed 2 years ago by chris
- Attachment Welcome Transition Network.png added
Front Page Screenshot with Images not Loading
comment:9 Changed 2 years ago by chris
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 0.495 to 0.745
Screenshot below.
This appears to be an issue with caching -- HTTP or HTTPS links to slideshow images get cached depending which is accessed first.
To reproduce the behaviour below:
- Set up Firefox as explained in the ticket description.
- Login to the site and clear the pages cache, Flush all caches > Page and else
- Access the front page using HTTP with a browser that doesn't support HSTS, eg lynx http://www.transitionnetwork.org/, this ensures that the front page with HTTP links is cached.
- Access the site with Firefox and make sure you are not logged in, the site will then look as it does below.
comment:10 Changed 2 years ago by paul
Investigating ..
comment:11 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.5
- Total Hours changed from 0.745 to 1.245
Results of investigation:
The url https://transitionnetwork.org redirects to http://www.transitionnetwork.org/
Thoughts: Maybe we can fix this in the Nginx configuration file.
The url https://www.transitionnetwork.org/ loads correctly - no redirect
When logged in to https://www.transitionnetwork.org, I can see a link to http://www.transitionnetwork.org
<div class="views-field-field-slide-destination-link-url">
<span class="field-content"><a href="http://www.transitionnetwork.org/news/2014-07-02/transition-networks-new-strategy" 0="a:0:{}" class="learn">Read more here>></a></span>
</div>
When logged out of https://www.transitionnetwork.org, I can see several links to http://www.transitionnetwork.org:
<div class="views-field-field-slide-image-fid">
<span class="field-content"><img src="http://www.transitionnetwork.org/sites/www.transitionnetwork.org/files/imagecache/slideshow_660/images/slides/swim.jpg" alt="" title="" width="700" height="306" class="imagecache imagecache-slideshow_660 imagecache-default imagecache-slideshow_660_default"/></span>
</div>
and similar.
This looks to be a problem with Imagecache
https://www.drupal.org/node/548858
Possible solution is adding the following to settings.php
$base_url = (isset($_SERVER["HTTPS"]) ? 'https://' : 'http://') . $_SERVER["SERVER_NAME"];
Interestingly, when logged out of the stage site https://booker-stage-20140717.transitionnetwork.org the above problem is not reproduced - so this looks to be a problem specific to production. I'll try clearing the cache.
comment:12 follow-up: ↓ 13 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 1.245 to 1.495
The solution may well be to apply the following patch: https://www.drupal.org/files/issues/imagecache-548858.patch
However as I don't have the problem on my stage site, I will not see if it works until it's applied on production. I'll pick this up again tomorrow.
comment:13 in reply to: ↑ 12 Changed 2 years ago by chris
Replying to paul:
The solution may well be to apply the following patch: https://www.drupal.org/files/issues/imagecache-548858.patch
That looks like it would result in image links starting with a / rather than http(s)://www.transitionnetwork.org -- if that is the case then that should do the job.
comment:14 follow-up: ↓ 15 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.5
- Total Hours changed from 1.495 to 1.995
Thanks Chris.
I have added this code to the settings.php file for production and rebuilt the registry. This has fixed the imagecache url problem.
I noticed that there is still a one more HTTP link to fix on the front page. I think for this one you need to update the field content or maybe the field on the slideshow content type.
<div class="views-field-field-slide-destination-link-url">
<span class="field-content"><a href="http://www.transitionnetwork.org/news/2014-07-02/transition-networks-new-strategy" 0="a:0:{}" class="learn">Read more here>></a></span>
I'm having problem with my internet connection this afternoon so feel free to pick this up. If not resolved today, I'll pick up again tomorrow.
comment:15 in reply to: ↑ 14 Changed 2 years ago by chris
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 1.995 to 2.245
Replying to paul:
I have added this code to the settings.php file for production and rebuilt the registry. This has fixed the imagecache url problem.
I afraid I can't see that anything has changed, following comment:9:
- In Firefox check that about:config has security.mixed_content.block_display_content set to true.
- Login to the site and click clear the page cache (this would probably be best done using drush and then immediately doing the next step).
- Request the non-encrypted version of the front page to ensure that this is the version that is cached, I did this via lynx -dump http://www.transitionnetwork.org/
- Log out, this takes you to https://www.transitionnetwork.org/ and the front pages looks as it does in the screenshot in comment:9.
If it would help I could write a simple bash script that could be run to demonstrate and test this issue.
Doing "view source" this is the HTML, note the http links to images:
<div id="views_slideshow_singleframe_main_slideshows-panel_pane_1" class="views_slideshow_singleframe_main views_slideshow_main viewsSlideshowSingleFrame-processed"><div style="position: relative;" id="views_slideshow_singleframe_teaser_section_slideshows-panel_pane_1" class="views_slideshow_singleframe_teaser_section"><div style="position: absolute; top: 0px; left: 0px; display: none; z-index: 4; opacity: 0;" class="views_slideshow_singleframe_slide views_slideshow_slide views-row-1 views-row-odd" id="views_slideshow_singleframe_div_slideshows-panel_pane_1_0"><div class="views-row views-row-0 views-row-first views-row-odd">
<div class="views-field-field-slide-image-fid">
<span class="field-content"><img src="http://www.transitionnetwork.org/sites/www.transitionnetwork.org/files/imagecache/slideshow_660/images/slides/swim.jpg" alt="" title="" class="imagecache imagecache-slideshow_660 imagecache-default imagecache-slideshow_660_default" height="306" width="700"></span>
</div>
<div class="views-field-title">
<span class="field-content"><h1 class="welcome">This month's theme</h1></span>
</div>
<div class="views-field-field-slide-text-value">
<div class="field-content"><div class="desc">September's theme is 'Making Space for Nature'. </div></div>
</div>
<div class="views-field-field-slide-destination-link-url">
<span class="field-content"><a href="https://www.transitionnetwork.org/blogs/rob-hopkins/2014-08/why-transition-needs-sense-wonder" class="learn">Find out why here...</a></span>
</div>
</div>
</div>
<div style="position: absolute; top: 0px; left: 0px; display: none; z-index: 4; opacity: 0;" class="views_slideshow_singleframe_slide views_slideshow_slide views-row-2 views_slideshow_singleframe_hidden views-row-even" id="views_slideshow_singleframe_div_slideshows-panel_pane_1_1"><div class="views-row views-row-0 views-row-first views-row-odd">
<div class="views-field-field-slide-image-fid">
<span class="field-content"><img src="http://www.transitionnetwork.org/sites/www.transitionnetwork.org/files/imagecache/slideshow_660/images/slides/mott2.jpg" alt="" title="" class="imagecache imagecache-slideshow_660 imagecache-default imagecache-slideshow_660_default" height="306" width="700"></span>
</div>
<div class="views-field-title">
<span class="field-content"><h1 class="welcome">Book Review</h1></span>
</div>
<div class="views-field-field-slide-text-value">
<div class="field-content"><div class="desc">Is David Nobbs' 'The Second Life of Sally Mottram' the first great Transition novel?</div></div>
</div>
<div class="views-field-field-slide-destination-link-url">
<span class="field-content"><a href="https://www.transitionnetwork.org/blogs/rob-hopkins/2014-09/second-life-sally-mottram-review" class="learn">Read our review here:</a></span>
</div>
</div>
</div>
<div style="position: absolute; top: 0px; left: 0px; display: none; z-index: 4; opacity: 0;" class="views_slideshow_singleframe_slide views_slideshow_slide views-row-3 views_slideshow_singleframe_hidden views-row-odd" id="views_slideshow_singleframe_div_slideshows-panel_pane_1_2"><div class="views-row views-row-0 views-row-first views-row-odd">
<div class="views-field-field-slide-image-fid">
<span class="field-content"><img src="http://www.transitionnetwork.org/sites/www.transitionnetwork.org/files/imagecache/slideshow_660/images/slides/supmk.jpg" alt="" title="" class="imagecache imagecache-slideshow_660 imagecache-default imagecache-slideshow_660_default" height="306" width="700"></span>
</div>
<div class="views-field-title">
<span class="field-content"><h1 class="welcome">Opinion piece</h1></span>
</div>
<div class="views-field-field-slide-text-value">
<div class="field-content"><div class="desc">We ask "can supermarkets ever be sustainable?"</div></div>
</div>
<div class="views-field-field-slide-destination-link-url">
<span class="field-content"><a href="https://www.transitionnetwork.org/blogs/rob-hopkins/2014-09/can-supermarkets-ever-be-sustainable" class="learn">Read more here >></a></span>
</div>
</div>
</div>
<div style="position: absolute; top: 0px; left: 0px; display: block; z-index: 5; opacity: 1;" class="views_slideshow_singleframe_slide views_slideshow_slide views-row-4 views_slideshow_singleframe_hidden views-row-even" id="views_slideshow_singleframe_div_slideshows-panel_pane_1_3"><div class="views-row views-row-0 views-row-first views-row-odd">
<div class="views-field-field-slide-image-fid">
<span class="field-content"><img src="http://www.transitionnetwork.org/sites/www.transitionnetwork.org/files/imagecache/slideshow_660/images/slides/sign5.jpg" alt="" title="" class="imagecache imagecache-slideshow_660 imagecache-default imagecache-slideshow_660_default" height="306" width="700"></span>
</div>
<div class="views-field-title">
<span class="field-content"><h1 class="welcome">Transition Network resource</h1></span>
</div>
<div class="views-field-field-slide-text-value">
<div class="field-content"><div class="desc">Transition Network's 3 year Strategy Document now available!</div></div>
</div>
<div class="views-field-field-slide-destination-link-url">
<span class="field-content"><a href="http://www.transitionnetwork.org/news/2014-07-02/transition-networks-new-strategy" 0="a:0:{}" class="learn">Read more here>></a></span>
</div>
</div>
</div>
</div>
</div>
</div>
comment:16 follow-up: ↓ 17 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.125
- Total Hours changed from 2.245 to 2.37
@Chris
Sorry for the delay in responding. I'll leave this one with you Chris as you're in a better position to move this forward.
comment:17 in reply to: ↑ 16 Changed 2 years ago by chris
Replying to paul:
I'll leave this one with you Chris as you're in a better position to move this forward.
I'm not sure I am, I haven't done updates like this since BOA was adopted.
This patch does look like it should do the trick:
https://www.drupal.org/files/issues/imagecache-548858.patch
Is that the one you applied?
comment:18 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.125
- Total Hours changed from 2.37 to 2.495
Sorry guys,
I have been working on a big project for a client.
I didn't apply any patches, only made the manual changes to settings.php
@Annesley
Would you mind taking this one? Thanks
comment:19 Changed 2 years ago by annesley
sure!
thinking... :)
comment:20 follow-ups: ↓ 21 ↓ 32 Changed 2 years ago by annesley
so: the various levels of caching in Drupal, authentication scenarios and browser caches make this problem particularly complex to test. the differences between staging and live with regards to caching, content, https and setup make staging testing difficult.
note that Internet Explorer is now at 8.3% ## of browser usage and is the only browser to default to mixed content warnings. Firefox and Chrome ignore mixed content issues. 3.6% of users (IE 7,8,9) will get an annoying popup, IE 10 & 11 will get a passive warning at the bottom of the screen#.
my preference is to ignore this issue. however, after reading the thread i would be happy to try what seems to be an agreed patch directly on live, ready to roll back if we see problems. normally i would want a staging test but the particular style of problem here makes that tricky.
there are 3 lines with minor changes for this patch:
- $args = array('absolute' => TRUE, 'query' => empty($bypass_browser_cache) ? NULL : time());
- return url($GLOBALSbase_url? . '/' . file_directory_path() .'/imagecache/'. $presetname .'/'. $path, $args);
- return url('system/files/imagecache/'. $presetname .'/'. $path, $args);
is that too cowperson? chris + ed please give go ahead.
# - https://help.salesforce.com/apex/HTViewSolution?id=000005615&language=en_US
## - http://www.w3schools.com/browsers/browsers_stats.asp
comment:21 in reply to: ↑ 20 Changed 2 years ago by chris
Replying to annesley:
is that too cowperson?
Sorry I don't understand what this means?
The patch, which looks to me like it should solve this issue, is the one referenced in ticket:680#comment:13
The issue is basically that either a front page with HTTP or HTTPS links is cached depending which is accessed first, if the URLs are made relative then it doesn't matter which is cached as they will be the same.
comment:22 Changed 2 years ago by ed
i'm happy for you to proceed but not for this to go on much longer
comment:23 follow-up: ↓ 24 Changed 2 years ago by annesley
sorry chris! it was a gender aware joke. i mean "is that too cowboy" as in, am i not being careful enough :)
ok, so i will proceed:
this is a patch on a contributed module. thus it needs to be entered in to the make file as a patch:
projects[imagecache][patch][tn01] = "https://raw.github.com/transitionnetwork/transitionnetwork.org-d6.profile/master/patches/tn01_imagecache_mixed_content.patch"
the patch needs to be uploaded in to the github/transition area.
and, the patch needs to be applied. which requires the AGEIR spinning up new site from the make file and then putting it live? or is that completely wrong?
comment:24 in reply to: ↑ 23 Changed 2 years ago by chris
Replying to annesley:
the patch needs to be uploaded in to the github/transition area.
and, the patch needs to be applied. which requires the AGEIR spinning up new site from the make file and then putting it live? or is that completely wrong?
This is a question for Paul.
comment:25 follow-up: ↓ 26 Changed 2 years ago by annesley
ok, i will wait for their input. i can already do everything apart from the last step.
@paul: i take it that the documentation in http://wiki.transitionnetwork.org/BOA_Server/Building_platforms is what i should be doing?
thus: i should go to http://wiki.transitionnetwork.org/BOA_Server/Building_platforms to build a new platform?
if that is true i would need a login...
also: i get an SSL error when going to https://tn.puffin.webarch.net/ should i ignore?
comment:26 in reply to: ↑ 25 Changed 2 years ago by chris
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 2.495 to 2.745
Replying to annesley:
i get an SSL error when going to https://tn.puffin.webarch.net/ should i ignore?
Yes I'm afraid so, but you can check that you are getting the right site -- the cert is the same one as for the live site, https://www.transitionnetwork.org/ so you can note the fingerprints and compare them:
SHA-512: B0:C6:89:79:D1:ED:00:0C:6D:08:31:B3:D8:7F:A8:8C:75:BC:C5:8B:B4:4F:A5:D1:39:BD:22:2D:59:7E:9B:88 SHA1: DE:E6:11:E6:81:E5:ED:2E:FB:ED:54:39:22:9A:A6:1D:C4:5B:FB:C3
comment:27 Changed 2 years ago by chris
See also wiki:SecurityInfo
comment:28 Changed 2 years ago by ed
hold on hold no - we agreed that Paul would do pushes to live. I'm happy for Annesley to do the coding, but Paul does publishing. This is not urgent.
Please wait until Paul is available to do the publishing bit.
comment:29 Changed 2 years ago by paul
- Add Hours to Ticket changed from 0.0 to 0.125
- Total Hours changed from 2.745 to 2.87
Thanks Ed,
@Annseley
Let me know if anything needs publishing. Sorry if I made it sound it sound like I was asking you to push things to production. Thanks for picking up the task. If you have problems fixing, just explore the problems as far as you can and let me know you're passing it back to me- perhaps with a summary of what's been done and what needs to be done - and I'll pick it up again as soon as I can.
Best, Paul
comment:30 Changed 2 years ago by annesley
actually, i'm not sure that this patch is valid for imagecache 6.x-2.0-rc1.
investigating...
comment:31 Changed 2 years ago by annesley
ok, the patch is not for our version of imagecache and, indeed, most of the changes appear to be in the latest version anyway. i'm going to try and understand the code and see if it sheds any light on the matter.
@Ed: if this is low priority (see the browser usage notes above) then feel free to cancel.
comment:32 in reply to: ↑ 20 Changed 2 years ago by chris
Replying to annesley:
so: the various levels of caching in Drupal, authentication scenarios and browser caches make this problem particularly complex to test. the differences between staging and live with regards to caching, content, https and setup make staging testing difficult.
I'm not sure this is the case.
Currently the images are linked to with either HTTP URLs like this:
Or HTTPS URLs like this:
Depending which version was first cached.
If my understanding of the patch identified in ticket:680#comment:17 is correct then after it has been applied the URLs should be relative:
- /sites/www.transitionnetwork.org/files/imagecache/slideshow_660/images/slides/swim.jpg
I don't see why this is hard to test on a dev version of the site, it should simply be a matter of checking the HTML source of the front page?
comment:33 Changed 2 years ago by chris
This thread on this issue might have a solution https://www.drupal.org/node/548858
comment:34 follow-up: ↓ 36 Changed 2 years ago by annesley
you're right chris.
a concern i have about moving to relative URLs was also on that thread you sent through:
"What are the exceptional cases that require a full URL? I am concerned about #36 causing problems by using relative paths, e.g. with RSS feeds or modules that allow you to email the content of a node (which require a full path). I am not sure if those modules just grab page content and email it out or process the content to check for relative links and adjust it to absolute links? If they do, how is determined for those purposes which protocol gets used?"
other solutions seem to involve checking the protocol more intelligently. however, that is where caching may start to be a problem?
$base_url = (isset($_SERVER["HTTPS"]) ? 'https://' : 'http://') . $_SERVER["SERVER_NAME"];
comments? preferences?
comment:35 Changed 2 years ago by chris
Protocol independent URLs are probably the best thing to use then:
- //www.transitionnetwork.org/sites/www.transitionnetwork.org/files/imagecache/slideshow_660/images/slides/swim.jpg
See:
comment:36 in reply to: ↑ 34 Changed 2 years ago by chris
Replying to annesley:
$base_url = (isset($_SERVER["HTTPS"]) ? 'https://' : 'http://') . $_SERVER["SERVER_NAME"];
The above would work for Apache with no caching, but with the way BOA sets Nginx up with the server listening on port 443 being a reverse proxy to port 80 so I'm not sure that anything can be done using the HTTPS env var.
comment:37 Changed 2 years ago by annesley
FYI i am following the same issue (with Security tag) on the WordPress core forums ATM also: https://core.trac.wordpress.org/ticket/29708
:D
comment:38 Changed 2 years ago by chris
I have found with WordPress that the only way to set it up securely with HTTPS is to make WordPress sites HTTPS only, eg http://cooperatives-yh.coop/ which has this in it's .htaccess file:
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
comment:39 Changed 2 years ago by ed
It sounds to me like this isn't going to reach a straight forward resolution owing to our situation. Coupled with it not being an urgent or vital fix, I say let's shelve it for now and live with it on the D6.
Therefore:
How can this be 'finding' be carried into the TNv3 planning?
comment:40 Changed 2 years ago by annesley
- Add Hours to Ticket changed from 0.0 to 3.0
- Total Hours changed from 2.87 to 5.87
comment:41 Changed 2 years ago by annesley
- Status changed from new to closed
- Resolution set to wontfix
yep, i agree. closing.
i calculate that this problem is only visible to less than 5% of users and that message it mostly passive also (not modal).
TNv3 may well be a different framework, and may not use SSL as the security requirements are also under review. note that using wordpress does NOT solve these issues.
comment:42 Changed 13 months ago by chris
- Add Hours to Ticket changed from 0.0 to 0.25
- Total Hours changed from 5.87 to 6.12
This bug is now more of an issue now, I think we should reopen it, as the Updated Firefox Security Indicators mean people will sometimes see this:
Note for this to be triggered there needs to be a HTTP request to the front page which results in a version being cached with the HTTP links to the images, then visit the site using HTTPS and you get the HTTP links. However once you have visited using HTTPS then the Strict Transport Security headers mean you can't access the site using HTTP, so it is tricky to duplicate, but it will happen for some people when they load the page using HTTPS just after another user requested it with HTTP and they get this cached version.
