incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher <ctubb...@apache.org>
Subject Re: HTTPS project sites
Date Sat, 14 Jan 2017 19:31:15 GMT
Sorry if I caused confusion. I'm not requesting assistance... I'm just
trying to make the community aware of the issue, and suggesting fixes. The
HTrace page was just one example that didn't work on https.

On Sat, Jan 14, 2017 at 7:59 AM John D. Ament <johndament@apache.org> wrote:

> I guess this is my confusion as well (hence my prior response).  it sounded
> like from a technical standpoint he wasn't sure how to make it protocol
> agnostic.
>
> RE HTTPS everywhere.  The only place that doesn't support HTTPS are the
> staging URLs via CMS.  Other than that, all other resources support HTTPS.
>
> John
>
> On Sat, Jan 14, 2017 at 4:02 AM Evan Hughes <wisebaldone@apache.org>
> wrote:
>
> > I see no technical reason why these external libraries cant be included
> > with https instead of http. I would rather see https:// instead of // as
> > //
> > can cause conflict when serving from a local file system as it'll assume
> > file://.
> >
> > Though I'm not sure what your proposing Christopher other than a issue
> that
> > needs to be added to htrace's jira page.
> >
> > ~ Evan
> >
> > On Sat, 14 Jan 2017 at 16:14 Christopher <ctubbsii@apache.org> wrote:
> >
> > > While I personally would prefer ASF switch everything over to HTTPS
> only,
> > > the main concern here is that projects may only be testing their sites
> > with
> > > HTTP, and they may not realize that their site breaks for visitors
> using
> > > HTTPS. Using "https://", or simply "//", instead of "http://" for
> > > javascript/css/other resources is a quick fix for most project sites.
> > That
> > > should get things working, regardless of whether their visitors are
> > > visiting the project site with HTTP or HTTPS.
> > >
> > > On Sat, Jan 14, 2017 at 12:42 AM Henri Yandell <bayard@apache.org>
> > wrote:
> > >
> > > > We're not doing SSL-everywhere afaict; so seems that we would want to
> > > keep
> > > > the HTTP option when in HTTP.
> > > >
> > > > Would love to see Infra providing a 'how many hardcoded http/https'
> > > report
> > > > for each subdomain :)
> > > >
> > > > Hen
> > > >
> > > > On Fri, Jan 13, 2017 at 5:18 PM, Christopher <ctubbsii@apache.org>
> > > wrote:
> > > >
> > > > > In most cases, the project developers should just make sure their
> > > > > JavaScript and CSS resources in their page point to an HTTPS
> version.
> > > > They
> > > > > don't actually need to point to the HTTP location.
> > > > >
> > > > > On Fri, Jan 13, 2017, 20:06 Martin Gainty <mgainty@hotmail.com>
> > wrote:
> > > > >
> > > > > >
> > > > > >
> > > > > > ________________________________
> > > > > > From: Christopher <ctubbsii@apache.org>
> > > > > > Sent: Friday, January 13, 2017 1:17 PM
> > > > > > To: general@incubator.apache.org
> > > > > > Subject: Re: HTTPS project sites
> > > > > >
> > > > > > No, I did not. This issue has nothing to do with same origin
> policy
> > > > > (which
> > > > > > most users should never try to disable). It's about mixed
> content.
> > > > > > Accessing a site via https can give a false sense of security
if
> > the
> > > > site
> > > > > > itself depends on non-https content.
> > > > > >
> > > > > > In the past, many browsers would just show a mixed-content
> warning,
> > > > which
> > > > > > most users would probably ignore. Chrome's latest behavior (and
I
> > > > expect
> > > > > > other browsers will follow eventually) tries to give a better
> > > indicator
> > > > > of
> > > > > > the degree of security a site has by not loading mixed-content
by
> > > > > default,
> > > > > > and when the mixed-content is loaded, the page is explicitly
> marked
> > > > "Not
> > > > > > Secure".
> > > > > >
> > > > > > The end result is that project websites may not be presented
to
> > their
> > > > > users
> > > > > > in the way the developers intended.
> > > > > >
> > > > > > MG>
> > > > > > http://stackoverflow.com/questions/18327314/how-to-
> > > > > allow-http-content-within-an-iframe-on-a-https-site
> > > > > >
> > > > > > MG>he mentions various strategies..twiddling http headers
to
> https,
> > > > > > screen-scraping mixed-content to aggregate on secure site and
> > proxies
> > > > > > MG> as far as proxies he mentions ngrok<https://ngrok.com/usage>
> > and
> > > > > > mitmproxy<http://mitmproxy.org/>..my personal preference
is
> Squid
> > > > > > [
> > > > > > https://cdn.sstatic.net/Sites/stackoverflow/img/apple-touch-
> > > > > icon@2.png?v=73d79a89bded
> > > > > > ]<
> > > > > > http://stackoverflow.com/questions/18327314/how-to-
> > > > > allow-http-content-within-an-iframe-on-a-https-site
> > > > > > >
> > > > > >
> > > > > > html - How to allow http content within an iframe on a ...<
> > > > > > http://stackoverflow.com/questions/18327314/how-to-
> > > > > allow-http-content-within-an-iframe-on-a-https-site
> > > > > > >
> > > > > > stackoverflow.com
> > > > > > I load some HTML into an iframe but when a file referenced is
> using
> > > > http,
> > > > > > not https, I get the following error: [blocked] The page at
> > > > > > {current_pagename} ran insecure ...
> > > > > >
> > > > > >
> > > > > >
> > > > > > MG>HTH
> > > > > > MG>Martin-
> > > > > > On Fri, Jan 13, 2017 at 12:54 PM Martin Gainty <
> > mgainty@hotmail.com>
> > > > > > wrote:
> > > > > >
> > > > > > > Hi Christopher
> > > > > > >
> > > > > > >
> > > > > > > did you try disabling default x-domain block for XHR request
> > > > > originating
> > > > > > > from Chrome?
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > https://joshuamcginnis.com/2011/02/28/how-to-disable-
> > > > > same-origin-policy-in-chrome/
> > > > > > How to: Disable Same-Origin Policy in Chrome | Josh McGinnis<
> > > > > > https://joshuamcginnis.com/2011/02/28/how-to-disable-
> > > > > same-origin-policy-in-chrome/
> > > > > > >
> > > > > > joshuamcginnis.com
> > > > > > How to enable cross-domain ajax requests in Chrome for
> development
> > by
> > > > > > disabling the same-origin policy.
> > > > > >
> > > > > >
> > > > > >
> > > > > > >
> > > > > > >
> > > > > > > How to: Disable Same-Origin Policy in Chrome | Josh McGinnis<
> > > > > > >
> > > > > > https://joshuamcginnis.com/2011/02/28/how-to-disable-
> > > > > same-origin-policy-in-chrome/
> > > > > > How to: Disable Same-Origin Policy in Chrome | Josh McGinnis<
> > > > > > https://joshuamcginnis.com/2011/02/28/how-to-disable-
> > > > > same-origin-policy-in-chrome/
> > > > > > >
> > > > > > joshuamcginnis.com
> > > > > > How to enable cross-domain ajax requests in Chrome for
> development
> > by
> > > > > > disabling the same-origin policy.
> > > > > >
> > > > > >
> > > > > >
> > > > > > > >
> > > > > > > joshuamcginnis.com
> > > > > > > How to enable cross-domain ajax requests in Chrome for
> > development
> > > by
> > > > > > > disabling the same-origin policy.
> > > > > > >
> > > > > > >
> > > > > > > ?
> > > > > > >
> > > > > > > Martin
> > > > > > > ______________________________________________
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > ________________________________
> > > > > > > From: Christopher <ctubbsii@apache.org>
> > > > > > > Sent: Friday, January 13, 2017 12:34 PM
> > > > > > > To: general@incubator.apache.org
> > > > > > > Subject: HTTPS project sites
> > > > > > >
> > > > > > > Hi incubating projects,
> > > > > > >
> > > > > > > I noticed today that at least one incubating web site won't
> load
> > > > > properly
> > > > > > > in the latest version of Chrome with the default settings
using
> > > > HTTPS (
> > > > > > > https://htrace.incubator.apache.org/).
> > > > > > Apache HTrace – About<https://htrace.incubator.apache.org/>
> > > > > > htrace.incubator.apache.org
> > > > > > Apache HTrace is an Apache Incubator project providing an open
> > source
> > > > > > framework for distributed tracing. It can be used with both
> > > standalone
> > > > > > applications and libraries.
> > > > > >
> > > > > >
> > > > > >
> > > > > > > Apache HTrace - About<https://htrace.incubator.apache.org/>
> > > > > > Apache HTrace – About<https://htrace.incubator.apache.org/>
> > > > > > htrace.incubator.apache.org
> > > > > > Apache HTrace is an Apache Incubator project providing an open
> > source
> > > > > > framework for distributed tracing. It can be used with both
> > > standalone
> > > > > > applications and libraries.
> > > > > >
> > > > > >
> > > > > >
> > > > > > > htrace.incubator.apache.org
> > > > > > > Apache HTrace is an Apache Incubator project providing
an open
> > > source
> > > > > > > framework for distributed tracing. It can be used with
both
> > > > standalone
> > > > > > > applications and libraries.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > This appears to be caused by Chrome being a bit aggressive
> about
> > > not
> > > > > > > loading scripts from HTTP sources when the page itself
is
> loaded
> > > with
> > > > > > > HTTPS.
> > > > > > >
> > > > > > > Projects may wish to check their sites to ensure that their
> > > > > > javascript/css
> > > > > > > resources are loading correctly when using HTTPS.
> > > > > > >
> > > > > > > --
> > > > > > > Christopher
> > > > > > >
> > > > > > --
> > > > > > Christopher
> > > > > >
> > > > >
> > > >
> > > --
> > > Christopher
> > >
> >
>
-- 
Christopher

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message