2017-09-05 14:20 GMT+02:00 Tom Hughes <notifications@github.com>:<br>
<br>
> Yes the problem is that an OAuth client makes an http request (and<br>
> includes http in the protocol when computing the signature) but behind<br>
> their back the browser sends the request over https instead which means<br>
> that when the server computes the signature (using https as the protocol)<br>
> it doesn't match.<br>
><br>
> It's not hypothetical - we turned on HSTS at one point and had to turn it<br>
> off again because of this.<br>
><br>
> It's actually not relevant to this bug anyway - this bug could be resolved<br>
> simply be redirecting everything to https by default. That simply requires<br>
> that we make a decision to go "https only" which historically we have<br>
> avoided because there were objections from some users to that.<br>
><br>
<br>
<br>
maybe it could be turned on by default, but made overridable in the user<br>
preferences?<br>


<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="https://github.com/openstreetmap/openstreetmap-website/issues/1493#issuecomment-327407780">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/ABWnLdMLRmD7_sSuED0iOjYIgzRtoDTGks5sflI0gaJpZM4MkLGL">mute the thread</a>.<img alt="" height="1" src="https://github.com/notifications/beacon/ABWnLQMMJXTNkQoMJIV3_IREtw1T2RNfks5sflI0gaJpZM4MkLGL.gif" width="1" /></p>
<div itemscope itemtype="http://schema.org/EmailMessage">
<div itemprop="action" itemscope itemtype="http://schema.org/ViewAction">
  <link itemprop="url" href="https://github.com/openstreetmap/openstreetmap-website/issues/1493#issuecomment-327407780"></link>
  <meta itemprop="name" content="View Issue"></meta>
</div>
<meta itemprop="description" content="View this Issue on GitHub"></meta>
</div>

<script type="application/json" data-scope="inboxmarkup">{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/openstreetmap/openstreetmap-website","title":"openstreetmap/openstreetmap-website","subtitle":"GitHub repository","main_image_url":"https://cloud.githubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c7bb5.png","avatar_image_url":"https://cloud.githubusercontent.com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png","action":{"name":"Open in GitHub","url":"https://github.com/openstreetmap/openstreetmap-website"}},"updates":{"snippets":[{"icon":"PERSON","message":"@dieterdreist in #1493: 2017-09-05 14:20 GMT+02:00 Tom Hughes \u003cnotifications@github.com\u003e:\n\n\u003e Yes the problem is that an OAuth client makes an http request (and\n\u003e includes http in the protocol when computing the signature) but behind\n\u003e their back the browser sends the request over https instead which means\n\u003e that when the server computes the signature (using https as the protocol)\n\u003e it doesn't match.\n\u003e\n\u003e It's not hypothetical - we turned on HSTS at one point and had to turn it\n\u003e off again because of this.\n\u003e\n\u003e It's actually not relevant to this bug anyway - this bug could be resolved\n\u003e simply be redirecting everything to https by default. That simply requires\n\u003e that we make a decision to go \"https only\" which historically we have\n\u003e avoided because there were objections from some users to that.\n\u003e\n\n\nmaybe it could be turned on by default, but made overridable in the user\npreferences?\n"}],"action":{"name":"View Issue","url":"https://github.com/openstreetmap/openstreetmap-website/issues/1493#issuecomment-327407780"}}}</script>