roller-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Glen Mazza (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ROL-1998) Allow both HTTP and HTTPS by using // instead of schema://
Date Thu, 10 Apr 2014 22:57:17 GMT

    [ https://issues.apache.org/jira/browse/ROL-1998?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13965965#comment-13965965
] 

Glen Mazza commented on ROL-1998:
---------------------------------

Hi Matt, one concern I have about this is some people, seeing how Roller is casually allowing
both HTTPS and HTTP without any apparent effort to redirect to the blog owner's desired scheme,
might think that Roller was not coded securely, that it could be prone to security holes.
 What Roller would gain in flexibility could come at a larger price regarding its reputation
for security--the problem with allowing both schemes instead of redirecting to one or the
other is that who's to say that the blog owner didn't require one scheme in his Roller config
and that Roller isn't erroneously allowing both?

I think the options that Roller provides today are pretty good:  (1) all http, (2) all https,
or (3) http for readers + just the secure pages (login, admin, etc.) on https for the blogger.
 (3) already allows the blog reader to read to read with zippy http while the blogger uses
https://; I don't see much use case of allowing the blog reader to upgrade to SSL when the
blog owner has specified http://.  It couldn't be confidentiality, because if he's writing
a blog comment it's going to be viewable to the world after he submits it anyway, otherwise
he's just reading so shouldn't care about security.

That said, I might be behind the curve with the new "scheme-less" URLs and any other modern
benefits they offer.

> Allow both HTTP and HTTPS by using // instead of schema://
> ----------------------------------------------------------
>
>                 Key: ROL-1998
>                 URL: https://issues.apache.org/jira/browse/ROL-1998
>             Project: Apache Roller
>          Issue Type: Improvement
>          Components: User Interface - General
>    Affects Versions: 5.0.3
>            Reporter: Matt Raible
>            Assignee: Roller Unassigned
>
> On http://raibledesigns.com, I'd love to be able to serve up my site with both HTTP and
HTTPS. I've found that the easiest way to do this (in a web browser) is to use schema-less
URLs (// instead of http://). However, many of the Roller macros use the Absolute URL's value
to construct their URL. 
> I tried using "//raibledesigns.com" as an absolute URL, but this didn't work. You can
see the issues I encountered on the Roller mailing list:
> http://markmail.org/message/wpmqspvapb2p5lx5
> As a workaround for many URLs, I was able to append ".replace('https://', '')" in my
theme. However, there were a number of them I was unable to change b/c they're embedded in
macros.
> Atom/RSS Feeds
> OpenSearch
> Category Links (#showWeblogCategoryLinksList)
> Page Links (#showPageMenu)
> Recent Entries (#showWeblogEntryLinksList)
> Read More
> RDF Comment
> $url.home
> $url.feed.entries.atom
> $url.tag
> For Atom/RSS feeds, I can see why the Absolute URL is important. However, for the HTML-rendered
version, it'd be great if the schema from the browser's address bar could be used.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message