search

Indicia-Team / media

Shared library of JavaScript code,
0 stars 2 forks source link

Secure map tiles #7

Closed studio4 closed 6 years ago

studio4 commented 6 years ago

Can I suggest that /media/js/OpenLayers.js be updated to reference secure map tiles e.g.

url:['http://a.tile.openstreetmap.org/${z}/${x}/${y}.png','http://b.tile.openstreetmap.org/${z}/${x}/${y}.png','http://c.tile.openstreetmap.org/${z}/${x}/${y}.png']

be updated to

url:['https://a.tile.openstreetmap.org/${z}/${x}/${y}.png','https://b.tile.openstreetmap.org/${z}/${x}/${y}.png','https://c.tile.openstreetmap.org/${z}/${x}/${y}.png']

This applies to all map tiles referenced by http.

All major browsers warn of mixed content and there is a drive to serve all content over SSL connections as part of the secure web helped significantly with the rise of 'free' SSL providers like Lets Encrypt.

I think this should be a relatively simple change and it is backwards compatible with sites served over http.

Hope this makes sense.

JimBacon commented 6 years ago

Definitely agree with the move to https and had a problem with Google maps myself this afternoon.

For OSM, it looks to me like you can supply the url you want as an option rather than having to change the library code. See the url option at http://dev.openlayers.org/docs/files/OpenLayers/Layer/OSM-js.html. There is also a protocol option for Bing maps (http://dev.openlayers.org/docs/files/OpenLayers/Layer/Bing-js.html). Not seeing anything about Google just now.

studio4 commented 6 years ago

Hi Jim,

You'll know better than me what's involved in migrating over to https, I hadn't realised there was also documentation to update. Using the url option is a good workaround for now but I wonder if it might be an option to add this to change to a roadmap as I think the default should perhaps be to request images over SSL.

Many thanks Andy

JimBacon commented 6 years ago

In the shorter term I see that changes to the way we call OpenLayers could use the available options to default to https.

In the longer term it would be great to move to the latest OpenLayers version (4.2 as of today) I see it uses https by default for OSM (http://openlayers.org/en/latest/apidoc/ol.source.OSM.html). This would be a pretty big undertaking though.

I was just wondering how iRecord gets Google Maps by https. I see the site I was working on earlier has an out of date version of the client_helpers. The Google Maps script resource is defined with the code 

$protocol = empty($_SERVER['HTTPS']) || $_SERVER['HTTPS']==='off' ? 'http' : 'https';
   ...
'googlemaps' => array('javascript' => array("$protocol://maps.google.com/maps/api/js?v=3" .
      (empty(self::$google_maps_api_key) ? '' : '&key=' . self::$google_maps_api_key))),
johnvanbreda commented 6 years ago

@JimBacon Are you planning on implementing the changes to the way we load the OSM layers? Let me know if you'd prefer I tackle it.

JimBacon commented 6 years ago

I can't make time to work on this currently.

jbrueck commented 6 years ago

You could handle this from within jquery.indiciaMapPanel:

osm_thunder : function () {return new OpenLayers.Layer.OSM("Topografie", [
        "https://a.tile.thunderforest.com/landscape/${z}/${x}/${y}.png",
               "https://b.tile.thunderforest.com/landscape/${z}/${x}/${y}.png",
               "https://c.tile.thunderforest.com/landscape/${z}/${x}/${y}.png"] ....

So there is no need to change OpenLayers.js

johnvanbreda commented 6 years ago

I've switched to https on the standard OSM tile layer rather than the thunderforest one as the latter requires a map key (though is very nice).