search

Triply-Dev / YASGUI.YASQE-deprecated

Deprecated, see https://github.com/TriplyDB/Yasgui for the Yasgui monorepo
MIT License
73 stars 36 forks source link

Cannot be embedded in https site #77

Closed danmichaelo closed 8 years ago

danmichaelo commented 8 years ago

I get an error when trying to use YASQE on a https site:

snip

Caused by the attempt to fetch //prefix.cc/popular/all.file.json. There is an issue on adding proper https support for prefix.cc at https://github.com/cygri/prefix.cc/issues/20 . But perhaps it could be a good idea to make the url a configurable option in any case? There's probably cases where you would like to fetch the list from a local copy for security reasons.

LaurensRietveld commented 8 years ago

Would making this prefix set to http not create a warning as well, i.e. that you are accessing a non-secure site from a secure one? Or is that warning less intrusive than the popup you currently experience?

LaurensRietveld commented 8 years ago

I just tested this from an https website manually (see code below), and both a '//' request as an 'http://' request fail. Would it really solve your problem when you can change the schema of this request url?


var xhr = new XMLHttpRequest();
xhr.open('GET', '//prefix.cc/popular/all.file.json', true);
xhr.onload = function(e) {
  console.log(JSON.parse(this.response));
}
xhr.send();

>>> ERROR: GET https://prefix.cc/popular/all.file.json net::ERR_INSECURE_RESPONSE

var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://prefix.cc/popular/all.file.json', true);
xhr.onload = function(e) {
  console.log(JSON.parse(this.response));
}
xhr.send();

>>> ERROR: Mixed Content: The page at '...some-https-page-where-i-ran-this-script-from' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://prefix.cc/popular/all.file.json'. This request has been blocked; the content must be served over HTTPS.(anonymous function) @ VM99:7InjectedScript._evaluateOn @ VM94:875InjectedScript._evaluateAndWrap @ VM94:808InjectedScript.evaluate @ VM94:664
cygri commented 8 years ago

I think @danmichaelo means to make the entire URL configurable, so that a copy of the JSON file can be fetched from his own host instead of prefix.cc. This sounds like a good idea, not just because of the HTTPS issue at prefix.cc, but also because it could take load off prefix.cc.

danmichaelo commented 8 years ago

@cygri : correct, thanks.

LaurensRietveld commented 8 years ago

Ah, I understand, having this configurable makes sense. I'll take a look

LaurensRietveld commented 8 years ago

This is fixed in the most recent version (2.8.4). To modify the url, set YASQE.Autocompleters.prefixes.fetchFrom to another one (before initializing YASQE, that is)

danmichaelo commented 8 years ago

Great, thanks!