[openstreetmap/openstreetmap-website] Geolocation fails when not using https on Chrome (#1493)
Tom Hughes
notifications at github.com
Tue Sep 5 12:20:56 UTC 2017
Yes the problem is that an OAuth client makes an http request (and includes http in the protocol when computing the signature) but behind their back the browser sends the request over https instead which means that when the server computes the signature (using https as the protocol) it doesn't match.
It's not hypothetical - we turned on HSTS at one point and had to turn it off again because of this.
It's actually not relevant to this bug anyway - this bug could be resolved simply be redirecting everything to https by default. That simply requires that we make a decision to go "https only" which historically we have avoided because there were objections from some users to that.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/1493#issuecomment-327158765
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20170905/4881fa80/attachment.html>
More information about the rails-dev
mailing list