[openstreetmap/openstreetmap-website] Use https for links in e-mail notifications (#1341)

Tom Hughes notifications at github.com
Fri Nov 4 14:03:04 UTC 2016


There are technical reasons which mean that enabling HSTS is not likely to be possible - we did try it once but it broke any site that was trying to use OAuth access to our API with http URLs because the client would sign an http URL but the browser would silently convert it to https meaning that the signature didn't match.

So we would only be able to enable HSTS once we had somehow persuaded every site that does OAuth against us to switch to HTTP URLs, and we don't even know how big that set is, let alone how to go about contacting them.

I don't think #939 is the one I was thinking of but there have been various discussions over the years where people have objected to forcing https because of the impact on people using lossy connections.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/1341#issuecomment-258439266
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20161104/e8de3752/attachment.html>


More information about the rails-dev mailing list