[openstreetmap/openstreetmap-website] Improve HTTPS security (#3108)

Tom Hughes notifications at github.com
Fri Feb 19 13:47:48 UTC 2021


At the moment loading of insecure passive content in secure pages is still generally allowed (active content isn't which makes the complaint more weird as the browser will deny that anyway even without CSP with the exception of localhost which is a special case) and we have no control over what our users are doing, and more importantly, what they did in the past.

Should we break a 10 year old diary entry because it's no longer considered "good" to load images over http?

Note that the actual page you analysed isn't allowing that but some like the diaries do.

We do only allow cross origin access to selected endpoints (https://github.com/openstreetmap/openstreetmap-website/blob/master/config/initializers/cors.rb#L21) but it's a bit more than just the API as it has to include OAuth for site that want to authenticate and the RSS feeds so that third part sites can load those.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/3108#issuecomment-782085664
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20210219/186f4f76/attachment.htm>


More information about the rails-dev mailing list