LocalStorage is not the same on HTTP and HTTPS hosts

[andreymoskvenkov]

LocalStorage database is completely different between HTTP and HTTPS hosts. As the result: if I call a JavaScript code like: "customerData.invalidate(['cart']);" from HTTPS page, it will set "cart" value only into HTTPS localStorage. But HTTP LocalStoraeg object will still contain old values and will not know about any keys, which need to be reloaded from the server. We get such issue on our store randomly, because usually when customerData.invalidate(sections); code is called, then it usually reloads the information from the server in a nearest Ajax call, and then cookie version is updated to a higher value. And then when I open a HTTP page, it checks the version of the storage and the version from cookies and then also reloads records from the server. But such logic does not work always. I think it works only when after "customerData.invalidate(...); " code there is "customerData.reload(...)" code is called. If we just add a key into the localStorage for invalidation, then it will not work for both HTTP and HTTPS storages. I think one option is: to remove the code:

var storageInvalidation = $.initNamespaceStorage('mage-cache-storage-section-invalidation').localStorage;

and to collect invalidated keys in cookies, because only cookies may be shared between HTTP and HTTPS.

The file is: app/code/Magento/Customer/view/frontend/web/js/customer-data.js

Maybe need to version each local storage key and keep the latest versions in cookies, or to remove an ability to reload localStorage records by keys and leave the global version of the entire storage. And if it is different, then to reload all keys via Ajax.

[piotrekkaminski]

internal issue MAGETWO-43652

[antonkril]

Why do you use mixed mode (HTTP&HTTPS)?

[andreymoskvenkov]

Because Magento allows it. Magento has "secure_base_url" and "unsecure_base_url" settings. I am using them.

[antonkril]

I was curious what are the reasons to chose mixed mode over full HTTPS. Mixed mode does not protect against MITM attacks.

[andreymoskvenkov]

Yeah, let's talk about sense of life in this ticket instead of just fixing a problem...

Magento 2 has 2 settings: "secure_base_url" and "unsecure_base_url". These settings are not working if you put there not same URLs. Therefore maybe a reason is to make one setting: base_url? I think the question about the reason of usage multi-protocol mode is out of scope of this ticket. This ticket was created, because Magento2 has a feature, which allows us to configure our store having secure pages and unsecure pages on HTTPS and HTTP protocol accordingly. This feature does not work. There are 2 ways of fixing this: 1 - remove this feature from the application or 2 - fix it. Does it make sense?

[piotrekkaminski]

@antonkril the mixed mode is used for compatibility with existing sites. There are SEO implications of switching to full-HTTPS and it is not something all companies are willing to do right now. If this feature exists and it doesn't work - it needs to be fixed.

[antonkril]

Issue is already processed by team and I'm not trying to argue the validity of the issue.

The mixed mode feature is present in Magento 2 because of the reasons described by @piotrekkaminski. But I want to make sure that you are aware of the security issues of mixed mode and if yes, are your reasons to use it the same as describe by Piotr.

[andreymoskvenkov]

No, my reason is only to make the product better. We are fine in switching the entire store to HTTPS for now.

[irenelagno]

@andreymoskvenkov, internal ticket is fixed and already available in develop branch. Please, check the fix, if something doesn't work for you, feel free to reopen this issue.

[andreymoskvenkov]

Thanks! The fix looks good to me. We will check this fix if our client will want to switch the store to mixed mode. For now he is ok to use HTTPS-everywhere solution.