Mixed content security warnings in search results and record details
Bug #787295 reported by
Dan Scott
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Evergreen |
Fix Released
|
Medium
|
Unassigned | ||
2.0 |
Fix Released
|
Undecided
|
Unassigned | ||
2.1 |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
* Evergreen 2.0.6
When accessing search results or record details via HTTPS in the default skin, browsers raise a mixed content warning due to the presence of JavaScript resources loaded via hardcoded HTTP URLs. While users can easily disable these warnings, that's not a security practice that we want to encourage or be responsible for.
Accordingly, the branch at http://
Please review and merge if acceptable.
tags: | removed: review |
Changed in evergreen: | |
status: | New → In Progress |
assignee: | nobody → Dan Wells (dbw2) |
Changed in evergreen: | |
milestone: | 2.2.0alpha1 → 2.2.0alpha2 |
Changed in evergreen: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
Turns out that this is impossible to fix unless we proxy the requests ourselves - at least, not without switching to the new v1 API for Google Books, which then adds the complication of needing an API key and being limited to 1,000 requests / day (by default - can be extended by request, but is it worth adding this to the complications in our current JavaScript configuration? Methinks no.)
So the right way to resolve this is probably to treat Google Books as just another added content provider and to proxy the requests via the Evergreen server (while enabling the configuration bits for API key etc to be configured in opensrf.xml).
I will kill my branch accordingly.