[StatusNet-dev] AJAX form posting on SSL pages: provisional fix in 0.9.x

Thu, 16 Dec 2010 17:32:23 -0800

I've been doing some cleanup and documentation on our main front-end JavaScript code which lives in js/util.js, including some tweaks on the AJAX form submissions to fix some error handling oddities.
While I was in there, I realized it would be pretty easy to work around the longstanding problem that none of our AJAX forms work on sites set to "ssl=sometimes" if someone actually fires up an arbitrary page on SSL. 



The ssl=sometimes mode is meant to have most stuff live on regular HTTP 
most of the time, but kick you over to HTTPS for a few privileged things 
that involve passwords. This keeps your actual password (but not your 
session cookies) from being sent over the network in the clear, while 
running most stuff over the easier to manage HTTP routes.



However, some folks end up at HTTPS pages that StatusNet thinks are 
supposed to be HTTP -- such as people using the HTTPS-Everywhere Firefox 
extension (https://www.eff.org/https-everywhere), or clicking links in 
an Adium client, or just doing some cut-n-paste on the URL bar in their 
browser to jump from page to page quickly.



They end up being able to see everything just fine, but a lot of our 
interactivity would break because the forms use hardcoded HTTP URLs, 
which the HTTPS page isn't allowed to directly access.




In commit 46d9496, I tossed in a few lines of JS to check if we're in 
that state and transparently send the form submission over HTTPS 
instead, which the page can reach from JavaScript.



This gets posting, favoriting, repeating, subscribing, etc working for 
folks who are (whether deliberately or by accident) on an HTTPS page view.




Note that this *doesn't* keep you on HTTPS pages while you navigate 
through the site; the overall behavior of ssl=sometimes mode remains as 
it was. (Individual end-users can use the HTTP-Everywhere extension to 
force their browsers to do that, but beware there may be other things 
that still don't work on those pages.)


-- brion
_______________________________________________
StatusNet-dev mailing list
StatusNet-dev@lists.status.net
http://lists.status.net/mailman/listinfo/statusnet-dev














    











					Reply via email to