mahara-contributors team mailing list archive

Thread
Date

[Bug 646713] Re: js config.wwwroot ignores httpswwwroot

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Iñaki Arenaza <646713@xxxxxxxxxxxxxxxxxx>
Date: Tue, 22 Mar 2011 22:30:55 -0000
Reply-to: Bug 646713 <646713@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Then, so be it!

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/646713

Title:
  js config.wwwroot ignores httpswwwroot

Status in Mahara ePortfolio:
  Confirmed

Bug description:
  Originally reported in
  http://mahara.org/interaction/forum/topic.php?id=1746

  If wwwroot and httpswwwroot are both set and they're set differently, then users accessing mahara over https won't be able to retrieve various things - e.g. help snippets.
  If the user is coming over https, and httpswwwroot is set, we should be using that instead of the wwwroot.
  If they use the wwwroot, then browsers see this as XSS and block various things - e.g. help files.

  This is *only* a problem when visiting over https and the wwwroot is
  set to http. The only place I can see where we actively pass users
  from http to https is the account settings page. That said, users can
  visit the httpswwwroot instead of the wwwroot and will see this on any
  page that they visit (until they click a link that is...).

  I've marked this a security bug for the moment until someone else has had a look.
  I think we may need to have more of a review of this - the ajaxlogin also uses config.wwwroot regardless of the setting of httpswwwroot.

  Andrew