Ubuntu QA Website

iso.qa.ubuntu.com renders differently under HTTPs - http assets not loaded over https

Bug #1868413 reported by Marco Parillo
30
This bug affects 5 people
Affects Status Importance Assigned to Milestone
Ubuntu QA Website
Triaged
Medium
Unassigned

Bug Description

I would prefer to use https://iso.qa.ubuntu.com/, but it seems as if http://iso.qa.ubuntu.com/ renders better for me under both Falkon and Chromium.

Marking this as security as HTTPs should be "normal".

Tags: samkenx
Marco Parillo (marco-parillo)
summary: - Iso.qa,ubuntu.com renders differently under HTTPs
+ iso.qa.ubuntu.com renders differently under HTTPs
Revision history for this message
Jean-Baptiste Lallement (jibel) wrote : Re: iso.qa.ubuntu.com renders differently under HTTPs

Thanks for your report.

It's because the CSS are on http instead of https and not loaded in this case.

Changed in ubuntu-qa-website:
importance: Undecided → Medium
status: New → Triaged
Jean-Baptiste Lallement (jibel)
information type: Private Security → Public
summary: - iso.qa.ubuntu.com renders differently under HTTPs
+ iso.qa.ubuntu.com renders differently under HTTPs - http assets not
+ loaded over https
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

@jibel

Not quite, the resources are there on the same host and served both under http & https.

If I go into inspector, and change the urls to https, the page renders correctly.

It is a security policy that browsers do not load http resources from an https page.

It seems like https got enabled on the qatracker app, without changing the settings such that it too knows that it is available over https. If that is done, then it would correctly render https urls for the resources, and everything should work correctly under https.

Thus this is a deployment issue, but I don't know where the production deployment settings are.

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Depending on how drupal is configured either baseurl needs to be set, or dynamically rewritten, or a content header to upgrade requests needs to be set.

See https://www.drupal.org/project/securelogin/issues/1670822 for many available solutions.

Revision history for this message
Nicolae Crefelean (kneekoo) wrote :

https://enable-cors.org/server_apache.html

^ This doesn't give you the solution, but where you should look. Ideally, the CORS settings are not in .htaccess (for performance reasons), but it should be in one of those places.

SamKenXStream (samkenx)
tags: added: david
SamKenXStream (samkenx)
tags: added: samkenx
removed: david
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.