incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kevin Cernekee <cerne...@gmail.com>
Subject Detecting whether SSL is being used
Date Tue, 12 Aug 2014 20:57:19 GMT
Hi,

The ACRA package includes a JavaScript list function[1] which
generates an RSS feed.  The resultant XML document needs to contain
absolute URLs to other documents in the CouchDB instance.

One concern I had with this code is that the generated URLs always use
http:.  Viewing the linked pages requires logging in with admin
rights, so it is better to generate a https: URL when possible.
Ideally this would be determined based on whether the RSS feed's URL
used http or https.  Unfortunately I was not able to find any
indication of SSL status in the CouchDB JavaScript docs[2] or in the
"req" JSON object.

Another concern is that it is using "req.headers.Host" to derive the
hostname; this appears to come from the raw HTTP headers.  It is not
clear to me whether this string is validated/sanitized in 100% of all
cases.  It might be safer to take this from the server configuration
than from the user request.

Is there a way to access the URL protocol (http/https) and hostname
from JavaScript, similar to the HTTPS and HTTP_HOST environment
variables on Apache httpd?


[1] https://github.com/ACRA/acra-storage/blob/master/lists/rss.js
[2] http://docs.couchdb.org/en/latest/query-server/javascript.html

Mime
View raw message