Secured connection (https) is gone when using a permalink

[lucaju]

Secured connection (https) is gone when using a permalink.

Example: https://dev-cwrc-writer.cwrc.ca/?githubPath=issues%2FCWRC-WriterBase%2F253&githubRepo=ilovan%2FGit-Writer-tests

This might have something to do with Traffik's routers configuration.

[lucaju]

This seems to happen when there is a call to an HTTP resource from within the document. In this specific case, there two calls for images one of which is http://cwrc.ca/templates/images/book1.gif The image is embedded in the document but I couldn't find the reference to it. @ilovan, any idea?

Don't know how to prevent that behaviour either. @ajmacdonald, any idea?

[ilovan]

the images are referenced in the css with http URLS. Not a problem in the long run for Orlando documents, but we should make note of it if the problem occurs with other schema-css pairs

[ilovan]

It's the same when the image is referenced in the pb element (for side-by-side display) see https://cwrc-writer.cwrc.ca/?githubPath=document.xml&githubRepo=ilovan%2FT.S.-Eliot---Old-Possum-s-Book-of-Practical-Cats-first-three-poems-

it might be worthwhile if you guys investigate it further, if there are security concerns for the users.

[ajmacdonald]

So this is an example of mixed content. The fix is to specify HTTPS URLs instead of HTTP. I don't think there's much else that can be done about this.

[SusanBrown]

Given that images could be put in a GitHub repo if nowhere else, then this isn’t insurmountable, is it? But it will need to be well documented.

(If I’m not understanding the situation well enough then don’t take a ton of time explaining—I don’t want to mess up the channels of communication.)

On Apr 15, 2020, at 1:20 PM, Andrew notifications@github.com wrote:

So this is an example of mixed content https://developers.google.com/web/fundamentals/security/prevent-mixed-content/what-is-mixed-content. The fix is to specify HTTPS URLs instead of HTTP. I don't think there's much else that can be done about this.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/cwrc/CWRC-GitWriter-Docker/issues/4#issuecomment-614170176, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAEFJIC7BFDB67CD37O3LVLRMXUHHANCNFSM4MHJNI6Q.

[lucaju]

Found another source of HTTPS security breach: When using lookups, there are requests to preview the entity directly in the source page. For instance, when mouseover a DBPedia entity.

[lucaju]

@ilovan Can you update the link of these images on the CSS? Instead of HTTP use HTTPS. e.g.: http://cwrc.ca/templates/images/book1.gif -> https://cwrc.ca/templates/images/book1.gif Check if there are other images with the same issue.

[lucaju]

These are in the Orlando CSS file. I wonder if other CSSs also have images with http.

[lucaju]

@ilovan If you find any other http please replace it for https