Bug #6650
closedForce SSL for *.commons.gc.cuny.edu pages
0%
Description
Starting in January 2017, Chrome will start showing "insecure" notices to users for non-HTTPS pages that contain password forms. See eg https://www.cnet.com/news/chrome-warning-insecure-http-websites-expose-passwords-credit-card-numbers/
On the Commons, we have a password form on every page (for logged-out users, at least) - in the toolbar.
We should start forcing SSL everywhere we can. For the moment, this means commons.gc.cuny.edu and *.commons.gc.cuny.edu. Most mapped domains don't have SSL certificates.
I'm going to go ahead and put this in the pipeline for 1.10.3. The code-level change will be pretty simple, but we should double-check to make sure we catch non-secure assets leaking through before then.
Ray, you're a watcher here - if you think of any blocking issues, please let me know.
Related issues
Updated by Boone Gorges over 7 years ago
- Related to Feature #5525: Mapped domains should be administered over *.commons.gc.cuny.edu added
Updated by Matt Gold over 7 years ago
Thanks so much for catching this. Does this go for all CBOX sites? If so, perhaps I should send out an email to the CBOX list (and perhaps we should update NYCDH etc)
Updated by Boone Gorges over 7 years ago
(It may be the case that we're in the clear if the <form> element points to an HTTPS page as far as the browser warning is concerned, but we should make this change anyway.)
Updated by Boone Gorges over 7 years ago
Does this go for all CBOX sites?
It goes for every site on the internet. But Commons In A Box does not add a login form to the toolbar.
Updated by Boone Gorges over 7 years ago
- Status changed from New to Resolved
I did some testing on cdev, and I think that the change looks good, so I've put it in place for 1.10.3: https://github.com/cuny-academic-commons/cac/commit/84e37f24f708003d6a5f71c99076d1ab97ebcfcf
While looking at it, I noticed that a previous fix for ensuring that HTTPS requests can't be made on non-Commons URLs was not working properly, due to our server migration. I've fixed that in https://github.com/cuny-academic-commons/cac/commit/0a0cd4b9d29bca35ed455ce39e4e77a01061ba2a
Updated by Boone Gorges over 7 years ago
- Status changed from Resolved to Assigned
Crud, I just realized that this breaks local installations that use the commons.gc.cuny.edu URL and don't have a local SSL cert set up. Let me see if I can figure out a workaround.
Updated by Boone Gorges over 7 years ago
- Status changed from Assigned to Resolved
I added a check against the LDV1 and LW3A subnets (based on SERVER_ADDR info), which is now hardcoded into .htaccess. So anyone visiting from localhost or 127.0.0.1 or whatever should not have any problems.
https://github.com/cuny-academic-commons/cac/commit/38e5e500d992dfe12d41bc83d302bfdb9c0b5fb2
Updated by Boone Gorges over 7 years ago
X-Forwarded-Proto is apparently not available in production, so I had to mod the rule after release: https://github.com/cuny-academic-commons/cac/commit/1702e6eaca3ad86bac0ad84f43f07211c440e6d0
Updated by Raymond Hoh almost 6 years ago
- Related to Feature #9907: Ability to change error page for non-approved users? added
Updated by Raymond Hoh almost 6 years ago
- Related to deleted (Feature #9907: Ability to change error page for non-approved users?)