incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "John D. Ament" <johndam...@apache.org>
Subject Re: HTTPS project sites
Date Sat, 14 Jan 2017 19:46:26 GMT
Christopher,

No need to worry - thanks for clarifying!

Just to close the loop on this, did you contact the HTrace team?  Each
podling has their own means for contact.  HTrace's can be found on
http://htrace.incubator.apache.org/mail-lists.html and I would recommend
their "Developer List" to let them know.

John

On Sat, Jan 14, 2017 at 2:31 PM Christopher <ctubbsii@apache.org> wrote:

> Sorry if I caused confusion. I'm not requesting assistance... I'm just
> trying to make the community aware of the issue, and suggesting fixes. The
> HTrace page was just one example that didn't work on https.
>
> On Sat, Jan 14, 2017 at 7:59 AM John D. Ament <johndament@apache.org>
> wrote:
>
> > I guess this is my confusion as well (hence my prior response).  it
> sounded
> > like from a technical standpoint he wasn't sure how to make it protocol
> > agnostic.
> >
> > RE HTTPS everywhere.  The only place that doesn't support HTTPS are the
> > staging URLs via CMS.  Other than that, all other resources support
> HTTPS.
> >
> > John
> >
> > On Sat, Jan 14, 2017 at 4:02 AM Evan Hughes <wisebaldone@apache.org>
> > wrote:
> >
> > > I see no technical reason why these external libraries cant be included
> > > with https instead of http. I would rather see https:// instead of //
> as
> > > //
> > > can cause conflict when serving from a local file system as it'll
> assume
> > > file://.
> > >
> > > Though I'm not sure what your proposing Christopher other than a issue
> > that
> > > needs to be added to htrace's jira page.
> > >
> > > ~ Evan
> > >
> > > On Sat, 14 Jan 2017 at 16:14 Christopher <ctubbsii@apache.org> wrote:
> > >
> > > > While I personally would prefer ASF switch everything over to HTTPS
> > only,
> > > > the main concern here is that projects may only be testing their
> sites
> > > with
> > > > HTTP, and they may not realize that their site breaks for visitors
> > using
> > > > HTTPS. Using "https://", or simply "//", instead of "http://" for
> > > > javascript/css/other resources is a quick fix for most project sites.
> > > That
> > > > should get things working, regardless of whether their visitors are
> > > > visiting the project site with HTTP or HTTPS.
> > > >
> > > > On Sat, Jan 14, 2017 at 12:42 AM Henri Yandell <bayard@apache.org>
> > > wrote:
> > > >
> > > > > We're not doing SSL-everywhere afaict; so seems that we would want
> to
> > > > keep
> > > > > the HTTP option when in HTTP.
> > > > >
> > > > > Would love to see Infra providing a 'how many hardcoded http/https'
> > > > report
> > > > > for each subdomain :)
> > > > >
> > > > > Hen
> > > > >
> > > > > On Fri, Jan 13, 2017 at 5:18 PM, Christopher <ctubbsii@apache.org>
> > > > wrote:
> > > > >
> > > > > > In most cases, the project developers should just make sure
their
> > > > > > JavaScript and CSS resources in their page point to an HTTPS
> > version.
> > > > > They
> > > > > > don't actually need to point to the HTTP location.
> > > > > >
> > > > > > On Fri, Jan 13, 2017, 20:06 Martin Gainty <mgainty@hotmail.com>
> > > wrote:
> > > > > >
> > > > > > >
> > > > > > >
> > > > > > > ________________________________
> > > > > > > From: Christopher <ctubbsii@apache.org>
> > > > > > > Sent: Friday, January 13, 2017 1:17 PM
> > > > > > > To: general@incubator.apache.org
> > > > > > > Subject: Re: HTTPS project sites
> > > > > > >
> > > > > > > No, I did not. This issue has nothing to do with same origin
> > policy
> > > > > > (which
> > > > > > > most users should never try to disable). It's about mixed
> > content.
> > > > > > > Accessing a site via https can give a false sense of security
> if
> > > the
> > > > > site
> > > > > > > itself depends on non-https content.
> > > > > > >
> > > > > > > In the past, many browsers would just show a mixed-content
> > warning,
> > > > > which
> > > > > > > most users would probably ignore. Chrome's latest behavior
> (and I
> > > > > expect
> > > > > > > other browsers will follow eventually) tries to give a
better
> > > > indicator
> > > > > > of
> > > > > > > the degree of security a site has by not loading mixed-content
> by
> > > > > > default,
> > > > > > > and when the mixed-content is loaded, the page is explicitly
> > marked
> > > > > "Not
> > > > > > > Secure".
> > > > > > >
> > > > > > > The end result is that project websites may not be presented
to
> > > their
> > > > > > users
> > > > > > > in the way the developers intended.
> > > > > > >
> > > > > > > MG>
> > > > > > > http://stackoverflow.com/questions/18327314/how-to-
> > > > > > allow-http-content-within-an-iframe-on-a-https-site
> > > > > > >
> > > > > > > MG>he mentions various strategies..twiddling http headers
to
> > https,
> > > > > > > screen-scraping mixed-content to aggregate on secure site
and
> > > proxies
> > > > > > > MG> as far as proxies he mentions ngrok<
> https://ngrok.com/usage>
> > > and
> > > > > > > mitmproxy<http://mitmproxy.org/>..my personal preference
is
> > Squid
> > > > > > > [
> > > > > > > https://cdn.sstatic.net/Sites/stackoverflow/img/apple-touch-
> > > > > > icon@2.png?v=73d79a89bded
> > > > > > > ]<
> > > > > > > http://stackoverflow.com/questions/18327314/how-to-
> > > > > > allow-http-content-within-an-iframe-on-a-https-site
> > > > > > > >
> > > > > > >
> > > > > > > html - How to allow http content within an iframe on a
...<
> > > > > > > http://stackoverflow.com/questions/18327314/how-to-
> > > > > > allow-http-content-within-an-iframe-on-a-https-site
> > > > > > > >
> > > > > > > stackoverflow.com
> > > > > > > I load some HTML into an iframe but when a file referenced
is
> > using
> > > > > http,
> > > > > > > not https, I get the following error: [blocked] The page
at
> > > > > > > {current_pagename} ran insecure ...
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > MG>HTH
> > > > > > > MG>Martin-
> > > > > > > On Fri, Jan 13, 2017 at 12:54 PM Martin Gainty <
> > > mgainty@hotmail.com>
> > > > > > > wrote:
> > > > > > >
> > > > > > > > Hi Christopher
> > > > > > > >
> > > > > > > >
> > > > > > > > did you try disabling default x-domain block for XHR
request
> > > > > > originating
> > > > > > > > from Chrome?
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > https://joshuamcginnis.com/2011/02/28/how-to-disable-
> > > > > > same-origin-policy-in-chrome/
> > > > > > > How to: Disable Same-Origin Policy in Chrome | Josh McGinnis<
> > > > > > > https://joshuamcginnis.com/2011/02/28/how-to-disable-
> > > > > > same-origin-policy-in-chrome/
> > > > > > > >
> > > > > > > joshuamcginnis.com
> > > > > > > How to enable cross-domain ajax requests in Chrome for
> > development
> > > by
> > > > > > > disabling the same-origin policy.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > How to: Disable Same-Origin Policy in Chrome | Josh
McGinnis<
> > > > > > > >
> > > > > > > https://joshuamcginnis.com/2011/02/28/how-to-disable-
> > > > > > same-origin-policy-in-chrome/
> > > > > > > How to: Disable Same-Origin Policy in Chrome | Josh McGinnis<
> > > > > > > https://joshuamcginnis.com/2011/02/28/how-to-disable-
> > > > > > same-origin-policy-in-chrome/
> > > > > > > >
> > > > > > > joshuamcginnis.com
> > > > > > > How to enable cross-domain ajax requests in Chrome for
> > development
> > > by
> > > > > > > disabling the same-origin policy.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > > >
> > > > > > > > joshuamcginnis.com
> > > > > > > > How to enable cross-domain ajax requests in Chrome
for
> > > development
> > > > by
> > > > > > > > disabling the same-origin policy.
> > > > > > > >
> > > > > > > >
> > > > > > > > ?
> > > > > > > >
> > > > > > > > Martin
> > > > > > > > ______________________________________________
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > ________________________________
> > > > > > > > From: Christopher <ctubbsii@apache.org>
> > > > > > > > Sent: Friday, January 13, 2017 12:34 PM
> > > > > > > > To: general@incubator.apache.org
> > > > > > > > Subject: HTTPS project sites
> > > > > > > >
> > > > > > > > Hi incubating projects,
> > > > > > > >
> > > > > > > > I noticed today that at least one incubating web site
won't
> > load
> > > > > > properly
> > > > > > > > in the latest version of Chrome with the default settings
> using
> > > > > HTTPS (
> > > > > > > > https://htrace.incubator.apache.org/).
> > > > > > > Apache HTrace – About<https://htrace.incubator.apache.org/>
> > > > > > > htrace.incubator.apache.org
> > > > > > > Apache HTrace is an Apache Incubator project providing
an open
> > > source
> > > > > > > framework for distributed tracing. It can be used with
both
> > > > standalone
> > > > > > > applications and libraries.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > > Apache HTrace - About<https://htrace.incubator.apache.org/>
> > > > > > > Apache HTrace – About<https://htrace.incubator.apache.org/>
> > > > > > > htrace.incubator.apache.org
> > > > > > > Apache HTrace is an Apache Incubator project providing
an open
> > > source
> > > > > > > framework for distributed tracing. It can be used with
both
> > > > standalone
> > > > > > > applications and libraries.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > > htrace.incubator.apache.org
> > > > > > > > Apache HTrace is an Apache Incubator project providing
an
> open
> > > > source
> > > > > > > > framework for distributed tracing. It can be used
with both
> > > > > standalone
> > > > > > > > applications and libraries.
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > This appears to be caused by Chrome being a bit aggressive
> > about
> > > > not
> > > > > > > > loading scripts from HTTP sources when the page itself
is
> > loaded
> > > > with
> > > > > > > > HTTPS.
> > > > > > > >
> > > > > > > > Projects may wish to check their sites to ensure that
their
> > > > > > > javascript/css
> > > > > > > > resources are loading correctly when using HTTPS.
> > > > > > > >
> > > > > > > > --
> > > > > > > > Christopher
> > > > > > > >
> > > > > > > --
> > > > > > > Christopher
> > > > > > >
> > > > > >
> > > > >
> > > > --
> > > > Christopher
> > > >
> > >
> >
> --
> Christopher
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message