Force SSL for *.commons.gc.cuny.edu pages
Starting in January 2017, Chrome will start showing "insecure" notices to users for non-HTTPS pages that contain password forms. See eg https://www.cnet.com/news/chrome-warning-insecure-http-websites-expose-passwords-credit-card-numbers/
On the Commons, we have a password form on every page (for logged-out users, at least) - in the toolbar.
We should start forcing SSL everywhere we can. For the moment, this means commons.gc.cuny.edu and *.commons.gc.cuny.edu. Most mapped domains don't have SSL certificates.
I'm going to go ahead and put this in the pipeline for 1.10.3. The code-level change will be pretty simple, but we should double-check to make sure we catch non-secure assets leaking through before then.
Ray, you're a watcher here - if you think of any blocking issues, please let me know.
#5 Updated by Boone Gorges over 2 years ago
- Status changed from New to Resolved
I did some testing on cdev, and I think that the change looks good, so I've put it in place for 1.10.3: https://github.com/cuny-academic-commons/cac/commit/84e37f24f708003d6a5f71c99076d1ab97ebcfcf
While looking at it, I noticed that a previous fix for ensuring that HTTPS requests can't be made on non-Commons URLs was not working properly, due to our server migration. I've fixed that in https://github.com/cuny-academic-commons/cac/commit/0a0cd4b9d29bca35ed455ce39e4e77a01061ba2a
#7 Updated by Boone Gorges over 2 years ago
- Status changed from Assigned to Resolved
I added a check against the LDV1 and LW3A subnets (based on SERVER_ADDR info), which is now hardcoded into .htaccess. So anyone visiting from localhost or 127.0.0.1 or whatever should not have any problems.
#8 Updated by Boone Gorges over 2 years ago
X-Forwarded-Proto is apparently not available in production, so I had to mod the rule after release: https://github.com/cuny-academic-commons/cac/commit/1702e6eaca3ad86bac0ad84f43f07211c440e6d0