← Back to team overview

mahara-contributors team mailing list archive

  1. mahara-contributors team
  2. Mailing list archive
  3. Message #05270

[Bug 646713] Re: Removal of httpswwwroot

  Thread PreviousDate PreviousThread Next 
This is going to cause problems as well.  I just recently moved our site
from always https to only login, because when students embed video from
outside of the site (which they are encouraged to do to save file space
and to take advantage of other resources) Internet Explorer will block
the content every time you reload the page.  It also looks like it is
blocking the new Google Apps block type, even if the provided url/embed-
code has https in it.  As Iñaki Arenaza mentioned, we use LDAP for
logins that can't be allowed to pass in clear text so HTTPS is
important.  At least 25% of our users use IE and it becomes very
irritating having to constantly confirm "show all content" when editing
a page or browsing a collection.

Some of this might be mitigated if the googleapps and externalvideo
block types took into consideration the site's SSL status and embedded
the content with https sources when available (both YouTube and Google
Apps seem to support embedding over https).

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/646713

Title:
  Removal of httpswwwroot

Status in Mahara ePortfolio:
  Fix Released

Bug description:
  Originally reported in
  http://mahara.org/interaction/forum/topic.php?id=1746

  If wwwroot and httpswwwroot are both set and they're set differently, then users accessing mahara over https won't be able to retrieve various things - e.g. help snippets.
  If the user is coming over https, and httpswwwroot is set, we should be using that instead of the wwwroot.
  If they use the wwwroot, then browsers see this as XSS and block various things - e.g. help files.

  This is *only* a problem when visiting over https and the wwwroot is
  set to http. The only place I can see where we actively pass users
  from http to https is the account settings page. That said, users can
  visit the httpswwwroot instead of the wwwroot and will see this on any
  page that they visit (until they click a link that is...).

  I've marked this a security bug for the moment until someone else has had a look.
  I think we may need to have more of a review of this - the ajaxlogin also uses config.wwwroot regardless of the setting of httpswwwroot.

  Andrew

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/646713/+subscriptions
  Thread PreviousDate PreviousThread Next