Re: Security warning (minor) on Tomcat site when using HTTPS

2017-08-03 Thread Mark Thomas 
On 03/08/17 18:29, Christopher Schultz wrote:
> All,
> 
> If you use https://tomcat.apache.org you'll see a security warning in
> various browsers due to mixed-content.
> 
> The problem is that the "Support Apache" logo in the upper right-hand
> corner of the page is served via HTTP instead of HTTPS.
> 
> The other images on the page come from tomcat.apache.org, and are
> referenced using relative paths, so they inherit the protocol from the
> parent page.
> 
> The Support Apache logo comes from www.apache.org and can't be a
> relative link.
> 
> I'd like to fix this issue, and there are two possible approaches:
> 
> 1. Always use HTTPS: just change the link protocol to https://
> 
> 2. Use a protocol-relative link[1], whose use has been ... discouraged[2
> ]
> 
> Does anyone care one way or the other?

Option 1 works for me.

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: Security warning (minor) on Tomcat site when using HTTPS

2017-08-03 Thread Igal @ Lucee.org 

On 8/3/2017 10:29 AM, Christopher Schultz wrote:

I'd like to fix this issue, and there are two possible approaches:

1. Always use HTTPS: just change the link protocol to https://
Always use HTTPS seems like the right way to me.  What's the downside?  
Latency on the first request?


TBH, best practice is to make all requests to http://tomcat.apache.org/ 
to redirect to https://tomcat.apache.org/ so if you do that you do not 
have to worry about protocol-relative URLs because they will always be 
https.  My $0.02.


Igal Sapir
Lucee Core Developer
Lucee.org

Security warning (minor) on Tomcat site when using HTTPS

2017-08-03 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

All,

If you use https://tomcat.apache.org you'll see a security warning in
various browsers due to mixed-content.

The problem is that the "Support Apache" logo in the upper right-hand
corner of the page is served via HTTP instead of HTTPS.

The other images on the page come from tomcat.apache.org, and are
referenced using relative paths, so they inherit the protocol from the
parent page.

The Support Apache logo comes from www.apache.org and can't be a
relative link.

I'd like to fix this issue, and there are two possible approaches:

1. Always use HTTPS: just change the link protocol to https://

2. Use a protocol-relative link[1], whose use has been ... discouraged[2
]

Does anyone care one way or the other?

Thanks,
- -chris

[1] https://www.paulirish.com/2010/the-protocol-relative-url/
[2] ibid.
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJZg11+AAoJEBzwKT+lPKRY58AP/jWpdAtQ5OPWHmVZeQJqFeRm
4IYoQU3q7UAS+KYeUbfdfFE3f3OUO1BvZ1Ewqgf3SBtFcobtk+aeajhcWhCoijZ2
F+sA/9cvWFE9X8njNr3B+Z53apnS7x7Qlo/VZwT/kYwV2iZs2NhXlEzuhzVg37se
xJ304BPMmDuJgCsjIOt9MG+sBimZ0HPloqhYaZViUO/iNDA+MpNRiUVnZ6Rfo1D2
dBRDTpQqF8jpNaA7nXkHeea+ghpyK2NQ5HW3c1+rLO1hCUTrSuOuQBEDzMB0kt7p
lij2W3a2HIbsd/n4w9cT+mWdJxby/MCfcvjD2r8A83Z36KJWRzCGusiNcN00MJUl
+GegW9YTUMHtrphSvbv69JrqI/9BpM+jhFaz2lTmbDUaEGWvhZsNeKyK8X9/97gF
tJH5kdzHxDEj0fNsURYb66gtSgcL+dT8sPx+CMi8SkN6D2Zwk4YJtkdLBk4rguKq
JPM3H+8uFsK4cVHmiPHRlfsup+TcQxEQ7y/7oas7Q8Dc9KXE5EHf+fbTonwEfQFe
mFaok/qVrcZI3VHz1JQ9zkGwplsXDz2Ha/oyhFFGye0XPi+K5byISOq3t4csGuTg
FwAttYD1fvlhA8/N2/ytSBVF9JPRyOtH5DlAwPb5lb4/UKEPDEhx8bD7kmc4weLA
SHtI7btvU7VoJDqYZ5sS
=jX2Z
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org