force SSL for requests coming from chrome (that is, local xul, not Google's browser:)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Evergreen |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
There's an Evergreen site that would like to be able to force SSL for the entire staff client. I can almost do this entirely with Apache using something like:
RewriteCond %{SERVER_PORT} !443
RewriteRule ^(.*)$ https:/
Some improvements would be to restrict this to the /xul directory, and/or make it optional based on some condition like cookies or user agent strings so that the client itself could decide whether to toggle it on or off from the login window. Their main use-case is not actually security, but getting through a transparent proxy that neuters the "dangerous" staff client Javascript.
Assuming I tighten that down, my other problem is that such rewrites break remote requests from local XUL, which aren't being sent with SSL. There are two things I'd like to do here if there are no objections, even for people who opt not to enable SSL for everything through Apache (because it defeats caching, performance suffers, etc):
* Modify RemoteRequest.js so that it converts a request URL to https:// if the location of the request is chrome:// It already does this if the location is https://
* Modify util/network.js such that secure is assumed if older invocations of .request are used instead of .simple_request. simple_request actually looks for a secure flag for a given API call in constants.js, but request does not.
Justification is that there are very few calls coming from local XUL, it makes those calls more secure, and it helps me do the Apache thing. :-)
Branch coming in a moment....
Changed in evergreen: | |
status: | Fix Committed → Fix Released |
collab/ phasefx/ ssl_login @ working/ Evergreen. git