Bug #6650
closed
Force SSL for *.commons.gc.cuny.edu pages
Added by Boone Gorges over 7 years ago.
Updated over 7 years ago.
Description
Starting in January 2017, Chrome will start showing "insecure" notices to users for non-HTTPS pages that contain password forms. See eg https://www.cnet.com/news/chrome-warning-insecure-http-websites-expose-passwords-credit-card-numbers/
On the Commons, we have a password form on every page (for logged-out users, at least) - in the toolbar.
We should start forcing SSL everywhere we can. For the moment, this means commons.gc.cuny.edu and *.commons.gc.cuny.edu. Most mapped domains don't have SSL certificates.
I'm going to go ahead and put this in the pipeline for 1.10.3. The code-level change will be pretty simple, but we should double-check to make sure we catch non-secure assets leaking through before then.
Ray, you're a watcher here - if you think of any blocking issues, please let me know.
- Related to Feature #5525: Mapped domains should be administered over *.commons.gc.cuny.edu added
Thanks so much for catching this. Does this go for all CBOX sites? If so, perhaps I should send out an email to the CBOX list (and perhaps we should update NYCDH etc)
(It may be the case that we're in the clear if the <form> element points to an HTTPS page as far as the browser warning is concerned, but we should make this change anyway.)
Does this go for all CBOX sites?
It goes for every site on the internet. But Commons In A Box does not add a login form to the toolbar.
- Status changed from New to Resolved
- Status changed from Resolved to Assigned
Crud, I just realized that this breaks local installations that use the commons.gc.cuny.edu URL and don't have a local SSL cert set up. Let me see if I can figure out a workaround.
- Status changed from Assigned to Resolved
- Related to Feature #9907: Ability to change error page for non-approved users? added
- Related to deleted (Feature #9907: Ability to change error page for non-approved users?)
Also available in: Atom
PDF