[
https://issues.apache.org/jira/browse/ROL-1998?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13965965#comment-13965965
]
Glen Mazza commented on ROL-1998:
---------------------------------
Hi Matt, one concern I have about this is some people, seeing how Roller is
casually allowing both HTTPS and HTTP without any apparent effort to redirect
to the blog owner's desired scheme, might think that Roller was not coded
securely, that it could be prone to security holes. What Roller would gain in
flexibility could come at a larger price regarding its reputation for
security--the problem with allowing both schemes instead of redirecting to one
or the other is that who's to say that the blog owner didn't require one scheme
in his Roller config and that Roller isn't erroneously allowing both?
I think the options that Roller provides today are pretty good: (1) all http,
(2) all https, or (3) http for readers + just the secure pages (login, admin,
etc.) on https for the blogger. (3) already allows the blog reader to read to
read with zippy http while the blogger uses https://; I don't see much use case
of allowing the blog reader to upgrade to SSL when the blog owner has specified
http://. It couldn't be confidentiality, because if he's writing a blog
comment it's going to be viewable to the world after he submits it anyway,
otherwise he's just reading so shouldn't care about security.
That said, I might be behind the curve with the new "scheme-less" URLs and any
other modern benefits they offer.
> Allow both HTTP and HTTPS by using // instead of schema://
> ----------------------------------------------------------
>
> Key: ROL-1998
> URL: https://issues.apache.org/jira/browse/ROL-1998
> Project: Apache Roller
> Issue Type: Improvement
> Components: User Interface - General
> Affects Versions: 5.0.3
> Reporter: Matt Raible
> Assignee: Roller Unassigned
>
> On http://raibledesigns.com, I'd love to be able to serve up my site with
> both HTTP and HTTPS. I've found that the easiest way to do this (in a web
> browser) is to use schema-less URLs (// instead of http://). However, many of
> the Roller macros use the Absolute URL's value to construct their URL.
> I tried using "//raibledesigns.com" as an absolute URL, but this didn't work.
> You can see the issues I encountered on the Roller mailing list:
> http://markmail.org/message/wpmqspvapb2p5lx5
> As a workaround for many URLs, I was able to append ".replace('https://',
> '')" in my theme. However, there were a number of them I was unable to change
> b/c they're embedded in macros.
> Atom/RSS Feeds
> OpenSearch
> Category Links (#showWeblogCategoryLinksList)
> Page Links (#showPageMenu)
> Recent Entries (#showWeblogEntryLinksList)
> Read More
> RDF Comment
> $url.home
> $url.feed.entries.atom
> $url.tag
> For Atom/RSS feeds, I can see why the Absolute URL is important. However, for
> the HTML-rendered version, it'd be great if the schema from the browser's
> address bar could be used.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
