Yeah sounds like removing httpswwwroot is the solution.
** Changed in: mahara
Importance: Undecided => Medium
** Changed in: mahara
Status: New => Confirmed
** Changed in: mahara
Milestone: None => 1.4.0
** Visibility changed to: Public
** This bug is no longer flagged as a security vulnerability
--
You received this bug notification because you are a member of Mahara
Committers, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/646713
Title:
js config.wwwroot ignores httpswwwroot
Status in Mahara ePortfolio:
Confirmed
Bug description:
Originally reported in http://mahara.org/interaction/forum/topic.php?id=1746
If wwwroot and httpswwwroot are both set and they're set differently, then
users accessing mahara over https won't be able to retrieve various things -
e.g. help snippets.
If the user is coming over https, and httpswwwroot is set, we should be using
that instead of the wwwroot.
If they use the wwwroot, then browsers see this as XSS and block various things
- e.g. help files.
This is *only* a problem when visiting over https and the wwwroot is set to
http. The only place I can see where we actively pass users from http to https
is the account settings page. That said, users can visit the httpswwwroot
instead of the wwwroot and will see this on any page that they visit (until
they click a link that is...).
I've marked this a security bug for the moment until someone else has had a
look.
I think we may need to have more of a review of this - the ajaxlogin also uses
config.wwwroot regardless of the setting of httpswwwroot.
Andrew
_______________________________________________
Mailing list: https://launchpad.net/~mahara-core
Post to : [email protected]
Unsubscribe : https://launchpad.net/~mahara-core
More help : https://help.launchpad.net/ListHelp
