I've been doing some cleanup and documentation on our main front-end JavaScript code which lives in js/util.js, including some tweaks on the AJAX form submissions to fix some error handling oddities.

While I was in there, I realized it would be pretty easy to work around the longstanding problem that none of our AJAX forms work on sites set to "ssl=sometimes" if someone actually fires up an arbitrary page on SSL.


The ssl=sometimes mode is meant to have most stuff live on regular HTTP most of the time, but kick you over to HTTPS for a few privileged things that involve passwords. This keeps your actual password (but not your session cookies) from being sent over the network in the clear, while running most stuff over the easier to manage HTTP routes.

However, some folks end up at HTTPS pages that StatusNet thinks are supposed to be HTTP -- such as people using the HTTPS-Everywhere Firefox extension (https://www.eff.org/https-everywhere), or clicking links in an Adium client, or just doing some cut-n-paste on the URL bar in their browser to jump from page to page quickly.

They end up being able to see everything just fine, but a lot of our interactivity would break because the forms use hardcoded HTTP URLs, which the HTTPS page isn't allowed to directly access.


In commit 46d9496, I tossed in a few lines of JS to check if we're in that state and transparently send the form submission over HTTPS instead, which the page can reach from JavaScript.

This gets posting, favoriting, repeating, subscribing, etc working for folks who are (whether deliberately or by accident) on an HTTPS page view.


Note that this *doesn't* keep you on HTTPS pages while you navigate through the site; the overall behavior of ssl=sometimes mode remains as it was. (Individual end-users can use the HTTP-Everywhere extension to force their browsers to do that, but beware there may be other things that still don't work on those pages.)

-- brion
_______________________________________________
StatusNet-dev mailing list
StatusNet-dev@lists.status.net
http://lists.status.net/mailman/listinfo/statusnet-dev

Reply via email to