[openstreetmap-website] Mention that it is necessary to visit https://127.0.0.1:8112/ and accept invalid certificate to have a working remote control (#803)
Štefan Baebler
notifications at github.com
Sat Apr 25 10:56:22 UTC 2015
[Current code only has error message fallback](https://github.com/openstreetmap/openstreetmap-website/blob/e2aef40437767e779f97a7447de69b4540839ff5/app/assets/javascripts/index.js#L211).
That can be extended to either:
* instead of just using an iframe it can first fallback to open a new tab/window (then possibly close it) with
* http (no mixed content problem, as it cannot affect current document) or
* https (allows the user to accept the invalid certificate)
* instead of using iframe tag it can use img tag to call remote editors on plain http as that kind of passive (harmless) mixed content is currently still [allowed by all browsers](https://community.qualys.com/blogs/securitylabs/2014/03/19/https-mixed-content-still-the-easiest-way-to-break-ssl). Editors don't have to serve images, but that functionality can also be added to them if needed.
* use ajax to trigger mixed content calls, but that would only work on Chrome
* maybe use [content security policy](https://w3c.github.io/webappsec/specs/content-security-policy/) to allow [mixed content](http://www.w3.org/TR/mixed-content/) (not sure if this is possible. By common sense it shouldn't be allowed, but maybe there are some exceptions or bugs in there)
There is [some initiative, to make localhost an exception](https://bugzilla.mozilla.org/show_bug.cgi?id=9039667), but it isn't getting much attention.
You can [test your browser](https://www.ssllabs.com/ssltest/viewMyClient.html) to see what kind of mixed content it blocks (scroll down on that test page).
I can help with this once we agree on design.
---
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/803#issuecomment-96176008
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20150425/6c483754/attachment.html>
More information about the rails-dev
mailing list