Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #9946 httpS mixed content error on "Personal Page" by hardcoded httP image
    Actions
    Infos
    #9946
    Anton KULIK (d00AK)
    2018-12-31 13:15
    2017-02-09 09:30
    10235
    Details
    httpS mixed content error on "Personal Page" by hardcoded httP image
    Nowadays pages are served over httpS with browser preload. However, when logging in to Tuleap one firstly get an overview of the users "Personal Page" which has some widgets like "My projects", "Image", "RSS Reader" etc.

    Chrome and Firefox are chocking on Mixed Content insecure image request:
    'http://upload.wikimedia.org/wikipedia/commons/2/29/Tulipa_celsiana.jpg'

    To fix the issue just add httpS instead of httP to image URL in the next commit.
    https://upload.wikimedia.org/wikipedia/commons/2/29/Tulipa_celsiana.jpg
    Other
    All
    Empty
    • [ ] enhancement
    • [x] internal improvement
    Empty
    Stage
    Empty
    Closed
    2018-12-31
    Attachments
    Artifact links
    Empty
    Empty
    References
    Referencing request #9946

    Git commit

    tuleap/tuleap/stable

    Remove broken default values of the RSS and image widgets 5da9cfe4cb
    User avatar Thomas Gerbet (tgerbet) , 2017-02-10 17:29
    Referenced by request #9946

    Other

    gerrit #7615
    Display settings

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2018-12-31 13:15
    Since the initial issue has been solved, I'm closing.

    Proxifying HTTP requests for the users would still be nice to have but it can be dealt with in a dedicated story/request.
    • Status changed from Verified to Closed
    • Close date set to 2018-12-31
    User avatar
    Thomas Gerbet (tgerbet)2017-02-09 11:14
    Hi,

    I agree on this one.

    I think there is currently two issues with the image plugin:
    * We use a hard coded HTTP URL to an external service as an example. We should not rely on a external service and certainly not use an HTTP URL when an HTTPS one is available.
    * If a user set an HTTP URL we can still have mixed content. The Tuleap server should probably proxify the request to serve the image to the user. This solution also improves the user privacy which is not a bad side bonus.
    • Status changed from New to Verified