Unsecure items in checkout

[GoogleCodeExporter]

If a magento user lands on an HTTPS at the checkout, as they should be, the
browser displays a warning there are unsecured elements. Turns out the
unsecured elements are our thumbs. 

We have 2 options: 
1. proxy them through magento with a very long caching life so they are
requested once and then cached locally by the browser

2. download them to magento and store there

I favour [1].

Original issue reported on code.google.com by zetapri...@gmail.com on 28 Apr 2010 at 10:45

• Blocked on: #213, #217

[GoogleCodeExporter]

Original comment by zetapri...@gmail.com on 4 May 2010 at 10:15

• Added labels: Unit-0.5

[GoogleCodeExporter]

Original comment by zetapri...@gmail.com on 9 May 2010 at 7:10

• Added labels: Unit-1
• Removed labels: Unit-0.5

[GoogleCodeExporter]

Original comment by Anatoly....@gmail.com on 12 May 2010 at 7:34

• Changed state: Finished

[GoogleCodeExporter]

Test it on magedev or mageimge for http mode. Check that everything works.

Original comment by Anatoly....@gmail.com on 14 May 2010 at 5:21

• Changed state: ToTest

[GoogleCodeExporter]

I tested this they way I thought was right. I placed an order from /mageimage/, 
went
all the way with the checkout and didn't see any page during the checkout 
procedure
that has https in the url, all were plain http.
Tested on FF with "money order" and with "credit card" payment option.

Please give better testing instructions. 

Original comment by agur...@gmail.com on 14 May 2010 at 7:58

• Changed state: MoreWork

[GoogleCodeExporter]

You did everything that I asked :-) The result means that there's no 
regressions at
least in http mode.

Original comment by Anatoly....@gmail.com on 14 May 2010 at 9:27

[GoogleCodeExporter]

HTTPS was enabled. You need to get as far as the checkout to see a change to 
HTTPs.
Note that image uploading isn't working under HTTPs.

Any page can be accessed via HTTPS if the page is accessed via HTTP first and 
then
the URL is changed to HTTPS. 

Make sure that the URLs of all preview/thumb images that come from ZP are 
actually
coming from the Magento site.

Original comment by zetapri...@gmail.com on 14 May 2010 at 10:23

• Changed state: ToTest

[GoogleCodeExporter]

Original comment by zetapri...@gmail.com on 14 May 2010 at 10:28

• Added labels: Features-X

[GoogleCodeExporter]

Now I can't even log into my customer account. As soon as I click "login" on
/mageimage/ I get the "Unsecured Connection" page (untrusted_connection.png).
If I try to place the order without logging in, I get the same page after I 
click
"Proceed to checkout".

Original comment by agur...@gmail.com on 14 May 2010 at 2:11

• Changed state: MoreWork

Attachments:

• untrusted_connection.png

[GoogleCodeExporter]

On this page FF explains that certificate provided by our server is self-signed 
and
not trusted. You should add the certificate by pressing on Add exception button 
and
following instructions on next page.

Original comment by Anatoly....@gmail.com on 17 May 2010 at 6:59

• Changed state: ToTest

[GoogleCodeExporter]

Added the exception certificate. Was able to log in the admin panel and in my
customer account. Placed an order all the way, got the order proof. If this is 
the
way it should work, it is Test OK.
After testing it in FF, I tried to login through Chrome. The browser asked for a
certificate confirmation again. I guess this means that the certificate needs 
to be
accepted for different browsers, not just once for that PC?

Original comment by agur...@gmail.com on 17 May 2010 at 11:27

• Changed state: TestOK

[GoogleCodeExporter]

Did you check that the images come in fact from the magento site, not directly 
from ZP?

We need to ensure they come from the Magento domain under HTTPs and from ZP 
(printers
domain) directly under HTTP.

Original comment by zetapri...@gmail.com on 17 May 2010 at 11:35

• Changed state: ToTest

[GoogleCodeExporter]

Placed an order on this product:
http://www.zetaprints.com/mageimage/index.php/remax-square-sign-02-3-photos-24-x
-24.html
The preview image URL was (secure_1.png)
I removed the "s" from "https" and got the same preview OK. Seems like it works 
both
ways.

Original comment by agur...@gmail.com on 17 May 2010 at 12:23

• Changed state: TestOK

Attachments:

• secure_1.png

[GoogleCodeExporter]

We need to document how it works: 
- file naming
- what function is used to make the decisions on what to show
- where the files are stored, if stored at all
- server caching / client caching

Original comment by zetapri...@gmail.com on 17 May 2010 at 8:39

• Added labels: Unit-1.5, Wiki-X
• Removed labels: Unit-1

[GoogleCodeExporter]

Original comment by zetapri...@gmail.com on 18 May 2010 at 1:33

[GoogleCodeExporter]

Original comment by zetapri...@gmail.com on 18 May 2010 at 10:01

[GoogleCodeExporter]

Original comment by zetapri...@gmail.com on 20 May 2010 at 6:08

• Changed state: Docos

[GoogleCodeExporter]

See Dev_HttpsAndImageProxing page

Original comment by Anatoly....@gmail.com on 25 May 2010 at 5:48

[GoogleCodeExporter]

Original comment by zetapri...@gmail.com on 25 May 2010 at 6:22

• Added labels: Wiki-V
• Removed labels: Wiki-X

[GoogleCodeExporter]

Original comment by zetapri...@gmail.com on 1 Jun 2010 at 11:24

• Changed state: Done
• Added labels: Features-V
• Removed labels: Features-X