Subpage https://kubuntu.org/getkubuntu/ shows mixed content warnings

Bug #1714446 reported by Hanno Böck
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Kubuntu Website
Undecided
Unassigned

Bug Description

The page
https://kubuntu.org/getkubuntu/
gets a degraded security warning in browsers, because it contains mixed content (unprotected HTTP content within an HTTPS webpage).

The reason is a stylesheet included from google:
<link rel='stylesheet' id='google-fonts-style-css' href='http://fonts.googleapis.com/css?family=Oxygen%3A400%2C300%2C700&#038;ver=4.8.1' type='text/css' media='all' />

Google of course supports HTTPS, so this can be easily avoided. Change this to either an https url or a protocol relative url like this:
<link rel='stylesheet' id='google-fonts-style-css' href='//fonts.googleapis.com/css?family=Oxygen%3A400%2C300%2C700&#038;ver=4.8.1' type='text/css' media='all' />

A second http reference in the header is this:
 <link rel="profile" href="http://gmpg.org/xfn/11" />

This URL seems also be available over HTTPS, so you can also change it.

Revision history for this message
Clive Johnston (clivejo-deactivatedaccount) wrote :

The same CSS and profile links are embedded in the "home page" and other pages as well, however these don't get a degraded security warning.

I'm pretty sure this is related more to the <form> calls to the insecure http://cdimage.ubuntu.com site. We will have to try and convince Canonical to install an SSL cert on cdimage.ubuntu.com so that we can use https in these form calls (they direct the visitor to the correct iso on cdimage.ubuntu.com)

Revision history for this message
Clive Johnston (clivejo-deactivatedaccount) wrote :

I have temporarily removed the <form> elements and replaced them with linked buttons and it seems to resolve the issue.

It isn't a very pretty solution so would welcome any help in making it better / easier to navigate.

Revision history for this message
Hanno Böck (hanno-hboeck) wrote :

Ultimately the solution is to support https on cdimage.ubuntu.com.

Apart from that I'd still recommend changing the stylesheet and profile links, even though it turned out they weren't the cause of the warning here.

Revision history for this message
Clive Johnston (clivejo-deactivatedaccount) wrote :

Unfortunately there are implications to enabling https support on cdimages.ubuntu.com. Many people use zsync and the use of https would stop that from working, plus the site is owned and operated by Canonical, so it is really up to them if they want to do it or not.

Yes, the links do ideally need to be changed, but will take time to complete as it seems to be coming from the theme (this needs FTP access which I don't have)

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers