This is going to cause problems as well. I just recently moved our site from always https to only login, because when students embed video from outside of the site (which they are encouraged to do to save file space and to take advantage of other resources) Internet Explorer will block the content every time you reload the page. It also looks like it is blocking the new Google Apps block type, even if the provided url/embed- code has https in it. As Iñaki Arenaza mentioned, we use LDAP for logins that can't be allowed to pass in clear text so HTTPS is important. At least 25% of our users use IE and it becomes very irritating having to constantly confirm "show all content" when editing a page or browsing a collection.
Some of this might be mitigated if the googleapps and externalvideo block types took into consideration the site's SSL status and embedded the content with https sources when available (both YouTube and Google Apps seem to support embedding over https). -- You received this bug notification because you are a member of Mahara Core, which is subscribed to Mahara. https://bugs.launchpad.net/bugs/646713 Title: Removal of httpswwwroot Status in Mahara ePortfolio: Fix Released Bug description: Originally reported in http://mahara.org/interaction/forum/topic.php?id=1746 If wwwroot and httpswwwroot are both set and they're set differently, then users accessing mahara over https won't be able to retrieve various things - e.g. help snippets. If the user is coming over https, and httpswwwroot is set, we should be using that instead of the wwwroot. If they use the wwwroot, then browsers see this as XSS and block various things - e.g. help files. This is *only* a problem when visiting over https and the wwwroot is set to http. The only place I can see where we actively pass users from http to https is the account settings page. That said, users can visit the httpswwwroot instead of the wwwroot and will see this on any page that they visit (until they click a link that is...). I've marked this a security bug for the moment until someone else has had a look. I think we may need to have more of a review of this - the ajaxlogin also uses config.wwwroot regardless of the setting of httpswwwroot. Andrew To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/646713/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-core Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-core More help : https://help.launchpad.net/ListHelp
