Cool,
That's what I was thinking (well I was thinking the old document.href,
but that's pre-DOM I think, so I may showing my obsolete knowledge).
;-)
I'd like to test this for robustness before committing. Let's take a
while to think through the combinations where this may or may not work,
i.e. http page pulling https data from the same or a different server,
for instance if page images and static content don't need to be
encrypted, just the dynamic content fetched by the remote script? It
doesn't work for different protocol types, unless you manually modify
those lines and add your protocol, using a switch statement or
something. It should just use whatever protocol the file was requested
with if there's a complete URI, or else fallback to the protocol of the
page it being called from. Also to take into account are the port
numbers. Another non-standard configuration of my server is to use
alternative port numbers to differentiate unique secure hosts with a
single IP by using a unique IP:port pair.
I figure while we're looking at it and fixing a bug for one condition,
why not take on the larger problem revealed, and formulate a generalized
improvement for as many cases as we can. 90% of the work is figuring
out what's going on. Why address it later when I've forgotten
everything. ;-) Of course, I keep getting sidetracked with things...
If you have the momentum, go ahead and fix it, otherwise I'll get to it
as soon as I can, and you can keep using your patch and drop in a
replacement later if you want. :-)
Leif
----- Original Message -----
From: "Jeremy Wanamaker" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, May 05, 2004 12:14 PM
Subject: Re: [Dynapi-Help] secure http - SOLUTION
> Here's my solution for anyone who may be interested. It works with
both
> secure and non-secure servers. In ioelement.js and the function
_doRequest
> it should read as follows starting on line 225
>
> if (url.indexOf('http')!=0) {
> var urlP = (this.doc.URL.indexOf('https') == 0) ?
'https://'
> : 'http://';
> if (url.substr(0,1)=='/') url =
> urlP+dynapi.frame.document.domain+url;
> else url = dynapi.documentPath+url;
> }
>
> Jeremy
>
> ----- Original Message -----
> From: "Jeremy Wanamaker" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Wednesday, May 05, 2004 12:00 PM
> Subject: Re: [Dynapi-Help] secure http
>
>
> > Right. So if you call ioelement.post(handler, data, function) with
handler
> > set to a relative URL, this line expands it out to the full URI.
What I'm
> > thinking is that you could use the DOM to get something like
this.doc.URL
> > (not sure if this is the best place to check) and check if the
prefix is
> > http or https and then prepend the result to the url vaiable in
> _doRequest.
> >
> > I'm gonna try that here on my local copy. It may be worth putting in
the
> > CVS, although I don't think it's been updated since Nov.
> >
> > Jeremy
> >
> > ----- Original Message -----
> > From: "Leif W" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Wednesday, May 05, 2004 11:04 AM
> > Subject: Re: [Dynapi-Help] secure http
> >
> >
> > > To get the protocol name you'll need to look at the full URI
> > > (http://site/path/file.html) and not just the URL
(/path/file.html). At
> > > that point in the script, it is making decisions without enough
> > > information, based only on the URL. So, it's got to be pulled
from
> > > elsewhere. As I said before, I never really modified the
ioelement.js
> > > (except some other minor thing), so I haven't got a good sense of
what
> > > goes on in there, yet.
> > >
> > > Leif
> > >
> > > ----- Original Message -----
> > > From: "Jeremy Wanamaker" <[EMAIL PROTECTED]>
> > > To: <[EMAIL PROTECTED]>
> > > Sent: Wednesday, May 05, 2004 10:52 AM
> > > Subject: Re: [Dynapi-Help] secure http
> > >
> > >
> > > > Ok, I tried changing that http to https in ioelement.js and it
worked.
> > > > Sorry, I should have tried it before I wrote that last email.
> > > >
> > > > What I'm wondering now is if there is a way to differentiate
between
> > > > secure/non-secure connections so that the appropriate prefix
> > > (http/https)
> > > > could be attached at
> > > >
> > > > if (url.substr(0,1)=='/') url =
> > > 'http://'+dynapi.frame.document.domain+url;
> > > >
> > > > and you wouldn't have to run separate copies of dynapi for
secure and
> > > > non-secure servers.
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: "Jeremy Wanamaker" <[EMAIL PROTECTED]>
> > > > To: <[EMAIL PROTECTED]>
> > > > Sent: Wednesday, May 05, 2004 10:26 AM
> > > > Subject: Re: [Dynapi-Help] secure http
> > > >
> > > >
> > > > > Leif,
> > > > >
> > > > > What you have described is exactly what I am trying to do.
> > > > >
> > > > > > script over HTTPS to get data from a MySQL server. I've
used
> > > ioelement
> > > > > > to talk to both Perl and PHP scripts, over HTTPS. But in my
case,
> > > all
> > > > > > these servers are running on the same mahine and I have
total
> > > control
> > > > >
> > > > > Because Mozilla crashes, I'm having a difficult time debugging
the
> > > error.
> > > > > IE's script debugger says it's crashing in
_monitorTransactions in
> > > > > ioelement.js. at the following if statement:
> > > > >
> > > > > elm=this.getScope(r[4]);
> > > > > if(elm && elm.document && !elm.document._tranState){
> > > > >
> > > > > So I'm assuming the getScope function on the previous line is
> > > returning a
> > > > > null value. I'm not sure why this would be, and maybe I'm way
off
> > > base.
> > > > The
> > > > > only other thing I'm wondering about is if the following lines
are
> > > causing
> > > > a
> > > > > problem in _doRequest
> > > > >
> > > > > if (url.indexOf('http')!=0) {
> > > > > if (url.substr(0,1)=='/') url =
> > > > > 'http://'+dynapi.frame.document.domain+url;
> > > > > else url = dynapi.documentPath+url;
> > > > > }
> > > > >
> > > > > Did you have to change these lines to set the url variable to
start
> > > with
> > > > > https rather than http?
> > > > >
> > > > > Thanks for your help.
> > > > >
> > > > > Jeremy
> > > > >
> > > > >
> > > > >
> > > > > ----- Original Message -----
> > > > > From: "Leif W" <[EMAIL PROTECTED]>
> > > > > To: <[EMAIL PROTECTED]>
> > > > > Sent: Monday, May 03, 2004 11:22 AM
> > > > > Subject: Re: [Dynapi-Help] secure http
> > > > >
> > > > >
> > > > > > Hmm, not sure about that one. But the first part makes
sense: you
> > > don't
> > > > > > want to start loading insecure data over a secure
connection,
> > > because
> > > > > > then the data that is loaded is not going to be transmitted
> > > securely,
> > > > > > giving the false impression to the user that the entire
session is
> > > > > > secure. The second part, about the browser going into a
loop and
> > > giving
> > > > > > an application error, seems like a bug a Doug suggested, but
I
> > > have no
> > > > > > idea.
> > > > > >
> > > > > > How are you calling this PHP script? Is there any reason
you
> > > can't use
> > > > > > a secure URL to the PHP script in the JS code?
> > > > > > https://domain.dom/sql.php Then, you are just talking HTTP
over a
> > > > > > secure connection, and the browser won't know or care what
the PHP
> > > > > > script does insecurely while talking to the database (which
could
> > > be
> > > > > > another point of concern from the security view). I use a
plain
> > > PHP
> > > > > > script over HTTPS to get data from a MySQL server. I've
used
> > > ioelement
> > > > > > to talk to both Perl and PHP scripts, over HTTPS. But in my
case,
> > > all
> > > > > > these servers are running on the same mahine and I have
total
> > > control
> > > > > > over it, so I know it's configured to work the way I expect.
I
> > > haven't
> > > > > > tried having the initial web page on one HTTPS server, and
calling
> > > the
> > > > > > PHP from a separate HTTP/HTTPS server, which may be what
you're
> > > doing.
> > > > > >
> > > > > > If you have control over the database machine, and it's a
UNIX
> > > box, you
> > > > > > can install a program that enables SSL connections to
arbitrary
> > > server
> > > > > > programs, with no modification to the server. Two such
programs I
> > > am
> > > > > > aware of (both use OpenSSL) are stunnel and sslwrap. I'm
using
> > > stunnel
> > > > > > for SWAT (Samba Web Administration Tool), which doesn't use
> > > Apache, it
> > > > > > has it's own web server functionality, but specifically for
the
> > > task at
> > > > > > hand.
> > > > > >
> > > > > > Leif
> > > > > >
> > > > > > ----- Original Message -----
> > > > > > From: "Jeremy Wanamaker" <[EMAIL PROTECTED]>
> > > > > > To: <[EMAIL PROTECTED]>
> > > > > > Sent: Monday, May 03, 2004 9:47 AM
> > > > > > Subject: Re: [Dynapi-Help] secure http
> > > > > >
> > > > > >
> > > > > > > Sorry, I should have been more specific in my original
email. I
> > > am
> > > > > > using
> > > > > > > Dynapi 3 with ioelement.js to get data from a database via
php
> > > > > > scripts. It
> > > > > > > works fine when it's running over http (port 80). When I
switch
> > > to
> > > > > > https
> > > > > > > (port 443), Mozilla gives me the following warning:
> > > > > > >
> > > > > > > Although this page is encrypted, the information you have
> > > entered is
> > > > > > to be
> > > > > > > sent over an unencrypted connection and could easily be
read by
> > > a
> > > > > > third
> > > > > > > party.
> > > > > > >
> > > > > > > It asks me if wish to continue.... I click yes and then
mozilla
> > > goes
> > > > > > into a
> > > > > > > loop and gets an application error. Any idea on how I can
fix
> > > this. I
> > > > > > really
> > > > > > > need to be able to use secure http for my application.
> > > > > > >
> > > > > > > Jeremy
> > > > > > >
> > > > > > > ----- Original Message -----
> > > > > > > From: "Leif W" <[EMAIL PROTECTED]>
> > > > > > > To: <[EMAIL PROTECTED]>
> > > > > > > Sent: Friday, April 30, 2004 10:08 PM
> > > > > > > Subject: Re: [Dynapi-Help] secure http
> > > > > > >
> > > > > > >
> > > > > > > > Work in what way? It should work fine in a general
sense.
> > > The
> > > > > > browser
> > > > > > > > handles the connection to the server. The server does
not
> > > care what
> > > > > > the
> > > > > > > > file contents are, they are just static javascript
files. The
> > > > > > browser
> > > > > > > > handles running the JavaScript, the server has no part
in this
> > > > > > process.
> > > > > > > > I have a local copy of CVS with some of my tinkerings in
it,
> > > so it's
> > > > > > a
> > > > > > > > "dirty" copy of the CVS, but it's 99.99% untouched. You
can
> > > see it
> > > > > > at
> > > > > > > > http://dynapi.kicks-ass.net/ , and you'll see, it
> > > automatically
> > > > > > > > redirects to the secure site. I did most of my work
with
> > > IOElement
> > > > > > and
> > > > > > > > SODA here.
> > > > > > > >
> > > > > > > > :D Ohh yeah, the site is down right now, as I'm
modifying
> > > some
> > > > > > Apache
> > > > > > > > config settings, to get more details in my log files,
and I
> > > kind of
> > > > > > shut
> > > > > > > > the site off and started modifying some live files so I
can't
> > > turn
> > > > > > it
> > > > > > > > back up until the configs are finished. Should be
tonight or
> > > > > > tomorrow,
> > > > > > > > once I am able to finish.
> > > > > > > >
> > > > > > > > In any case, what are you trying now and what isn't
working?
> > > > > > > >
> > > > > > > > Leif
> > > > > > > >
> > > > > > > > ----- Original Message -----
> > > > > > > > From: "Jeremy Wanamaker" <[EMAIL PROTECTED]>
> > > > > > > > To: <[EMAIL PROTECTED]>
> > > > > > > > Sent: Friday, April 30, 2004 3:35 PM
> > > > > > > > Subject: [Dynapi-Help] secure http
> > > > > > > >
> > > > > > > >
> > > > > > > > > Is anyone aware of a way to get DynAPI 3 working with
a
> > > secure
> > > > > > http
> > > > > > > > server?
> > > > > > > > >
> > > > > > > > > Thanks,
> > > > > > > > >
> > > > > > > > > Jeremy
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > -------------------------------------------------------
> > > > > > > > This SF.Net email is sponsored by: Oracle 10g
> > > > > > > > Get certified on the hottest thing ever to hit the
market...
> > > Oracle
> > > > > > 10g.
> > > > > > > > Take an Oracle 10g class now, and we'll give you the
exam
> > > FREE.
> > > > > > > > http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> > > > > > > > _______________________________________________
> > > > > > > > Dynapi-Help mailing list
> > > > > > > > [EMAIL PROTECTED]
> > > > > > > > https://lists.sourceforge.net/lists/listinfo/dynapi-help
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > -------------------------------------------------------
> > > > > > > This SF.Net email is sponsored by: Oracle 10g
> > > > > > > Get certified on the hottest thing ever to hit the
market...
> > > Oracle
> > > > > > 10g.
> > > > > > > Take an Oracle 10g class now, and we'll give you the exam
FREE.
> > > > > > > http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> > > > > > > _______________________________________________
> > > > > > > Dynapi-Help mailing list
> > > > > > > [EMAIL PROTECTED]
> > > > > > > https://lists.sourceforge.net/lists/listinfo/dynapi-help
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > -------------------------------------------------------
> > > > > > This SF.Net email is sponsored by: Oracle 10g
> > > > > > Get certified on the hottest thing ever to hit the market...
> > > Oracle 10g.
> > > >
> > > > > > Take an Oracle 10g class now, and we'll give you the exam
FREE.
> > > > > > http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> > > > > > _______________________________________________
> > > > > > Dynapi-Help mailing list
> > > > > > [EMAIL PROTECTED]
> > > > > > https://lists.sourceforge.net/lists/listinfo/dynapi-help
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > -------------------------------------------------------
> > > > > This SF.Net email is sponsored by: Oracle 10g
> > > > > Get certified on the hottest thing ever to hit the market...
Oracle
> > > 10g.
> > > > > Take an Oracle 10g class now, and we'll give you the exam
FREE.
> > > > > http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> > > > > _______________________________________________
> > > > > Dynapi-Help mailing list
> > > > > [EMAIL PROTECTED]
> > > > > https://lists.sourceforge.net/lists/listinfo/dynapi-help
> > > > >
> > > >
> > > >
> > > >
> > > > -------------------------------------------------------
> > > > This SF.Net email is sponsored by: Oracle 10g
> > > > Get certified on the hottest thing ever to hit the market...
Oracle
> > > 10g.
> > > > Take an Oracle 10g class now, and we'll give you the exam FREE.
> > > > http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> > > > _______________________________________________
> > > > Dynapi-Help mailing list
> > > > [EMAIL PROTECTED]
> > > > https://lists.sourceforge.net/lists/listinfo/dynapi-help
> > > >
> > > >
> > >
> > >
> > >
> > >
> > > -------------------------------------------------------
> > > This SF.Net email is sponsored by: Oracle 10g
> > > Get certified on the hottest thing ever to hit the market...
Oracle 10g.
> > > Take an Oracle 10g class now, and we'll give you the exam FREE.
> > > http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> > > _______________________________________________
> > > Dynapi-Help mailing list
> > > [EMAIL PROTECTED]
> > > https://lists.sourceforge.net/lists/listinfo/dynapi-help
> > >
> >
> >
> >
> > -------------------------------------------------------
> > This SF.Net email is sponsored by Sleepycat Software
> > Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to
> > deliver higher performing products faster, at low TCO.
> > http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
> > _______________________________________________
> > Dynapi-Help mailing list
> > [EMAIL PROTECTED]
> > https://lists.sourceforge.net/lists/listinfo/dynapi-help
> >
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by Sleepycat Software
> Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to
> deliver higher performing products faster, at low TCO.
> http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
> _______________________________________________
> Dynapi-Help mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/dynapi-help
>
-------------------------------------------------------
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
_______________________________________________
Dynapi-Help mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/dynapi-help
