mahara-contributors team mailing list archive

[Aaron Wells <1563641@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

"Mixed content" refers to the scenario where a web page is served via
HTTPS, but it includes assets that are served via an HTTP URL. See
https://developer.mozilla.org/en-US/docs/Security/Mixed_content for some
discussion of this.

In Bug 1463629 we fixed this issue for embedded iframes, by patching the
HTMLPurifier core class HTMLPurifier_URIFilter_SafeIframe so that, in
addition to filtering iframes for an allowed set of URLs, it also
transformed them from HTTPS to HTTP if needed.

After having recently done some work on HTMLPurifier for other bugs, and
becoming more familiar with their API, it now becomes apparent to me
that this was a bit of a hack (patching core code should have told me
this anyway). What we should have done is, instead, write up a new
custom URIFilter specifically for rewriting URI's from HTTP to HTTPS in
this way, and used that instead.

Doing it that way will make future HTMLPurifier upgrades easier, by
eliminating the need to patch that file.

** Affects: mahara
     Importance: Low
     Assignee: Aaron Wells (u-aaronw)
         Status: Confirmed

** Changed in: mahara
    Milestone: None => 16.10.0

** Changed in: mahara
     Assignee: (unassigned) => Aaron Wells (u-aaronw)

** Changed in: mahara
   Importance: Undecided => Low

** Changed in: mahara
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1563641

Title:
  Rewrite "mixed content" URLs via an HTMLPurifier custom filter

Status in Mahara:
  Confirmed

Bug description:
  "Mixed content" refers to the scenario where a web page is served via
  HTTPS, but it includes assets that are served via an HTTP URL. See
  https://developer.mozilla.org/en-US/docs/Security/Mixed_content for
  some discussion of this.

  In Bug 1463629 we fixed this issue for embedded iframes, by patching
  the HTMLPurifier core class HTMLPurifier_URIFilter_SafeIframe so that,
  in addition to filtering iframes for an allowed set of URLs, it also
  transformed them from HTTPS to HTTP if needed.

  After having recently done some work on HTMLPurifier for other bugs,
  and becoming more familiar with their API, it now becomes apparent to
  me that this was a bit of a hack (patching core code should have told
  me this anyway). What we should have done is, instead, write up a new
  custom URIFilter specifically for rewriting URI's from HTTP to HTTPS
  in this way, and used that instead.

  Doing it that way will make future HTMLPurifier upgrades easier, by
  eliminating the need to patch that file.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1563641/+subscriptions