Serve http://tasks.hotosm.org over TLS

[sjparkinson]

Currently the main site only works over plain text, while OpenStreetMap works over TLS.

As described in https://github.com/openstreetmap/iD/issues/3771, this is causing a mixed content warning when using the iD editor for loading boundaries.

Mixed Content: The page at 'https://www.openstreetmap.org/edit?editor=id&#map=18/-18.7024446936/30.4725…' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://tasks.hotosm.org/project/3182/task/669.gpx'. This request has been blocked; the content must be served over HTTPS.

With free services like Let's Encrypt and CloudFlare, it'd be great to serve the site with a certificate.

[LivInTheLookingGlass]

Same bug in the US task manager

[LivInTheLookingGlass]

@pgiraud, this is kind of mission critical. ID is basically unusable in the current configuration.

[sjparkinson]

The reason I had issues was because I was using the "HTTPS Everywhere" extension, which includes rules for Open Street Map, so even though the task manager uses http:// links they were being upgraded to https://.

[grischard]

I'd like to underline that this doesn't mean that all of tasks.hotosm.org must be served over https, although that's certainly possible. It means that https must be at least enabled if the boundary are to be reliably shown in iD.

[sjparkinson]

Worth pointing out that the session cookie is currently being passed over plain text, and I'd guess also the oauth token returned from the Open Street Map login.

Trivial to capture at mapathons using unsecured WiFi access points. All good reasons why the site should be https:// only.

There's never a good reason to only partially serve a site over https:// these days.

I think this issue needs moving to https://github.com/hotosm/tasking-manager however.