incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Gainty <mgai...@hotmail.com>
Subject Re: HTTPS project sites
Date Sat, 14 Jan 2017 01:06:21 GMT


________________________________
From: Christopher <ctubbsii@apache.org>
Sent: Friday, January 13, 2017 1:17 PM
To: general@incubator.apache.org
Subject: Re: HTTPS project sites

No, I did not. This issue has nothing to do with same origin policy (which
most users should never try to disable). It's about mixed content.
Accessing a site via https can give a false sense of security if the site
itself depends on non-https content.

In the past, many browsers would just show a mixed-content warning, which
most users would probably ignore. Chrome's latest behavior (and I expect
other browsers will follow eventually) tries to give a better indicator of
the degree of security a site has by not loading mixed-content by default,
and when the mixed-content is loaded, the page is explicitly marked "Not
Secure".

The end result is that project websites may not be presented to their users
in the way the developers intended.

MG>http://stackoverflow.com/questions/18327314/how-to-allow-http-content-within-an-iframe-on-a-https-site

MG>he mentions various strategies..twiddling http headers to https, screen-scraping mixed-content
to aggregate on secure site and proxies
MG> as far as proxies he mentions ngrok<https://ngrok.com/usage> and mitmproxy<http://mitmproxy.org/>..my
personal preference is Squid
[https://cdn.sstatic.net/Sites/stackoverflow/img/apple-touch-icon@2.png?v=73d79a89bded]<http://stackoverflow.com/questions/18327314/how-to-allow-http-content-within-an-iframe-on-a-https-site>

html - How to allow http content within an iframe on a ...<http://stackoverflow.com/questions/18327314/how-to-allow-http-content-within-an-iframe-on-a-https-site>
stackoverflow.com
I load some HTML into an iframe but when a file referenced is using http, not https, I get
the following error: [blocked] The page at {current_pagename} ran insecure ...



MG>HTH
MG>Martin-
On Fri, Jan 13, 2017 at 12:54 PM Martin Gainty <mgainty@hotmail.com> wrote:

> Hi Christopher
>
>
> did you try disabling default x-domain block for XHR request originating
> from Chrome?
>
>
> https://joshuamcginnis.com/2011/02/28/how-to-disable-same-origin-policy-in-chrome/
How to: Disable Same-Origin Policy in Chrome | Josh McGinnis<https://joshuamcginnis.com/2011/02/28/how-to-disable-same-origin-policy-in-chrome/>
joshuamcginnis.com
How to enable cross-domain ajax requests in Chrome for development by disabling the same-origin
policy.



>
>
> How to: Disable Same-Origin Policy in Chrome | Josh McGinnis<
> https://joshuamcginnis.com/2011/02/28/how-to-disable-same-origin-policy-in-chrome/
How to: Disable Same-Origin Policy in Chrome | Josh McGinnis<https://joshuamcginnis.com/2011/02/28/how-to-disable-same-origin-policy-in-chrome/>
joshuamcginnis.com
How to enable cross-domain ajax requests in Chrome for development by disabling the same-origin
policy.



> >
> joshuamcginnis.com
> How to enable cross-domain ajax requests in Chrome for development by
> disabling the same-origin policy.
>
>
> ?
>
> Martin
> ______________________________________________
>
>
>
> ________________________________
> From: Christopher <ctubbsii@apache.org>
> Sent: Friday, January 13, 2017 12:34 PM
> To: general@incubator.apache.org
> Subject: HTTPS project sites
>
> Hi incubating projects,
>
> I noticed today that at least one incubating web site won't load properly
> in the latest version of Chrome with the default settings using HTTPS (
> https://htrace.incubator.apache.org/).
Apache HTrace – About<https://htrace.incubator.apache.org/>
htrace.incubator.apache.org
Apache HTrace is an Apache Incubator project providing an open source framework for distributed
tracing. It can be used with both standalone applications and libraries.



> Apache HTrace - About<https://htrace.incubator.apache.org/>
Apache HTrace – About<https://htrace.incubator.apache.org/>
htrace.incubator.apache.org
Apache HTrace is an Apache Incubator project providing an open source framework for distributed
tracing. It can be used with both standalone applications and libraries.



> htrace.incubator.apache.org
> Apache HTrace is an Apache Incubator project providing an open source
> framework for distributed tracing. It can be used with both standalone
> applications and libraries.
>
>
>
>
> This appears to be caused by Chrome being a bit aggressive about not
> loading scripts from HTTP sources when the page itself is loaded with
> HTTPS.
>
> Projects may wish to check their sites to ensure that their javascript/css
> resources are loading correctly when using HTTPS.
>
> --
> Christopher
>
--
Christopher

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message