search

linkedpipes / dcat-ap-viewer

Viewer of DCAT-AP 2.0.1 compatible dataset metadata
MIT License
6 stars 6 forks source link

Links to download do not always work in Chrome #267

Closed jakubklimek closed 3 years ago

jakubklimek commented 3 years ago

Initially, I thought this was caused by links leading to HTTP, not HTTPS targets. However, now even a link to an HTTPS target does not work - see this dataset. Maybe it has something to do with target="_blank"?

Or, it could be that the target server as problems with https

skodapetr commented 3 years ago

Well that is easy to check, you can just edit the HTML and see that still nothing happens, tested with 91.0.4472.164. In addition is seems to work fine with Firefox 90.0.2 so it may be Chrome specific.

Removing the _blank allows you to see the error message in the console: Mixed Content: The site at 'https://data.gov.cz/' was loaded over a secure connection, but the file at 'http://eagri.cz/public/app/vodev/oblasti_povodi/download/Mezinarodni_a_dilci_povodi_CR.zip' was loaded over an insecure connection. This file should be served over HTTPS. This download has been blocked. See https://blog.chromium.org/2020/02/protecting-users-from-insecure.html for more details.

Using curl -v we can see more details that highlight the use of HTTP:

*   Trying 185.17.215.168:443...
* TCP_NODELAY set
* Connected to eagri.cz (185.17.215.168) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=eagri.cz
*  start date: Dec  1 00:00:00 2020 GMT
*  expire date: Jan  1 23:59:59 2022 GMT
*  subjectAltName: host "eagri.cz" matched cert's "eagri.cz"
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=Thawte RSA CA 2018
*  SSL certificate verify ok.
> GET /public/app/vodev/oblasti_povodi/download/Mezinarodni_a_dilci_povodi_CR.zip HTTP/1.1
> Host: eagri.cz
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 302 Found
< Location: http://eagri.cz/public/app/vodev/oblasti_povodi/download/Mezinarodni_a_dilci_povodi_CR.zip
< Server: BigIP
* HTTP/1.0 connection set to keep alive!
< Connection: Keep-Alive
< Content-Length: 0
<
* Connection #0 to host eagri.cz left intact

So in fact it does not download from HTTPS but it redirects user to HTTP.

jakubklimek commented 3 years ago

OK, so this is a really bad practice on the publisher's side and Chrome is right not to download the file.