incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Henri Yandell <bay...@apache.org>
Subject Re: HTTPS project sites
Date Sat, 14 Jan 2017 05:42:17 GMT
We're not doing SSL-everywhere afaict; so seems that we would want to keep
the HTTP option when in HTTP.

Would love to see Infra providing a 'how many hardcoded http/https' report
for each subdomain :)

Hen

On Fri, Jan 13, 2017 at 5:18 PM, Christopher <ctubbsii@apache.org> wrote:

> In most cases, the project developers should just make sure their
> JavaScript and CSS resources in their page point to an HTTPS version. They
> don't actually need to point to the HTTP location.
>
> On Fri, Jan 13, 2017, 20:06 Martin Gainty <mgainty@hotmail.com> wrote:
>
> >
> >
> > ________________________________
> > From: Christopher <ctubbsii@apache.org>
> > Sent: Friday, January 13, 2017 1:17 PM
> > To: general@incubator.apache.org
> > Subject: Re: HTTPS project sites
> >
> > No, I did not. This issue has nothing to do with same origin policy
> (which
> > most users should never try to disable). It's about mixed content.
> > Accessing a site via https can give a false sense of security if the site
> > itself depends on non-https content.
> >
> > In the past, many browsers would just show a mixed-content warning, which
> > most users would probably ignore. Chrome's latest behavior (and I expect
> > other browsers will follow eventually) tries to give a better indicator
> of
> > the degree of security a site has by not loading mixed-content by
> default,
> > and when the mixed-content is loaded, the page is explicitly marked "Not
> > Secure".
> >
> > The end result is that project websites may not be presented to their
> users
> > in the way the developers intended.
> >
> > MG>
> > http://stackoverflow.com/questions/18327314/how-to-
> allow-http-content-within-an-iframe-on-a-https-site
> >
> > MG>he mentions various strategies..twiddling http headers to https,
> > screen-scraping mixed-content to aggregate on secure site and proxies
> > MG> as far as proxies he mentions ngrok<https://ngrok.com/usage> and
> > mitmproxy<http://mitmproxy.org/>..my personal preference is Squid
> > [
> > https://cdn.sstatic.net/Sites/stackoverflow/img/apple-touch-
> icon@2.png?v=73d79a89bded
> > ]<
> > http://stackoverflow.com/questions/18327314/how-to-
> allow-http-content-within-an-iframe-on-a-https-site
> > >
> >
> > html - How to allow http content within an iframe on a ...<
> > http://stackoverflow.com/questions/18327314/how-to-
> allow-http-content-within-an-iframe-on-a-https-site
> > >
> > stackoverflow.com
> > I load some HTML into an iframe but when a file referenced is using http,
> > not https, I get the following error: [blocked] The page at
> > {current_pagename} ran insecure ...
> >
> >
> >
> > MG>HTH
> > MG>Martin-
> > On Fri, Jan 13, 2017 at 12:54 PM Martin Gainty <mgainty@hotmail.com>
> > wrote:
> >
> > > Hi Christopher
> > >
> > >
> > > did you try disabling default x-domain block for XHR request
> originating
> > > from Chrome?
> > >
> > >
> > >
> > https://joshuamcginnis.com/2011/02/28/how-to-disable-
> same-origin-policy-in-chrome/
> > How to: Disable Same-Origin Policy in Chrome | Josh McGinnis<
> > https://joshuamcginnis.com/2011/02/28/how-to-disable-
> same-origin-policy-in-chrome/
> > >
> > joshuamcginnis.com
> > How to enable cross-domain ajax requests in Chrome for development by
> > disabling the same-origin policy.
> >
> >
> >
> > >
> > >
> > > How to: Disable Same-Origin Policy in Chrome | Josh McGinnis<
> > >
> > https://joshuamcginnis.com/2011/02/28/how-to-disable-
> same-origin-policy-in-chrome/
> > How to: Disable Same-Origin Policy in Chrome | Josh McGinnis<
> > https://joshuamcginnis.com/2011/02/28/how-to-disable-
> same-origin-policy-in-chrome/
> > >
> > joshuamcginnis.com
> > How to enable cross-domain ajax requests in Chrome for development by
> > disabling the same-origin policy.
> >
> >
> >
> > > >
> > > joshuamcginnis.com
> > > How to enable cross-domain ajax requests in Chrome for development by
> > > disabling the same-origin policy.
> > >
> > >
> > > ?
> > >
> > > Martin
> > > ______________________________________________
> > >
> > >
> > >
> > > ________________________________
> > > From: Christopher <ctubbsii@apache.org>
> > > Sent: Friday, January 13, 2017 12:34 PM
> > > To: general@incubator.apache.org
> > > Subject: HTTPS project sites
> > >
> > > Hi incubating projects,
> > >
> > > I noticed today that at least one incubating web site won't load
> properly
> > > in the latest version of Chrome with the default settings using HTTPS (
> > > https://htrace.incubator.apache.org/).
> > Apache HTrace – About<https://htrace.incubator.apache.org/>
> > htrace.incubator.apache.org
> > Apache HTrace is an Apache Incubator project providing an open source
> > framework for distributed tracing. It can be used with both standalone
> > applications and libraries.
> >
> >
> >
> > > Apache HTrace - About<https://htrace.incubator.apache.org/>
> > Apache HTrace – About<https://htrace.incubator.apache.org/>
> > htrace.incubator.apache.org
> > Apache HTrace is an Apache Incubator project providing an open source
> > framework for distributed tracing. It can be used with both standalone
> > applications and libraries.
> >
> >
> >
> > > htrace.incubator.apache.org
> > > Apache HTrace is an Apache Incubator project providing an open source
> > > framework for distributed tracing. It can be used with both standalone
> > > applications and libraries.
> > >
> > >
> > >
> > >
> > > This appears to be caused by Chrome being a bit aggressive about not
> > > loading scripts from HTTP sources when the page itself is loaded with
> > > HTTPS.
> > >
> > > Projects may wish to check their sites to ensure that their
> > javascript/css
> > > resources are loading correctly when using HTTPS.
> > >
> > > --
> > > Christopher
> > >
> > --
> > Christopher
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message