[openstreetmap/openstreetmap-website] Geolocation fails when not using https on Chrome (#1493)
dieterdreist
notifications at github.com
Wed Sep 6 08:05:08 UTC 2017
2017-09-05 14:20 GMT+02:00 Tom Hughes <notifications at github.com>:
> Yes the problem is that an OAuth client makes an http request (and
> includes http in the protocol when computing the signature) but behind
> their back the browser sends the request over https instead which means
> that when the server computes the signature (using https as the protocol)
> it doesn't match.
>
> It's not hypothetical - we turned on HSTS at one point and had to turn it
> off again because of this.
>
> It's actually not relevant to this bug anyway - this bug could be resolved
> simply be redirecting everything to https by default. That simply requires
> that we make a decision to go "https only" which historically we have
> avoided because there were objections from some users to that.
>
maybe it could be turned on by default, but made overridable in the user
preferences?
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/1493#issuecomment-327407780
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20170906/cd047a6f/attachment.html>
More information about the rails-dev
mailing list