https://bugzilla.wikimedia.org/show_bug.cgi?id=69289
--- Comment #4 from Chris Steipp <[email protected]> --- (In reply to Mitar from comment #2) > Then maybe MediaWiki (https://www.mediawiki.org/wiki/MediaWiki) has a wrong > $wgCanonicalServer setting. Because if you open http://www.mediawiki.org it > redirects to HTTPS. So it seems https://www.mediawiki.org is the canonical > URL for the site. www.mediawiki.org has $wgCanonicalServer set to "http://www.mediawiki.org";. If you're logged in, you probably have the force HTTPS cookie which is causing the redirect. But yeah, I prefer you *DO* use https when calling /identify, just to preserve your user's privacy, if nothing else. So the in the preferred case, there will be a missmatch, which isn't great design I admin. We could just set https:// always, to encourage Consumer to use it too.. but that seems a little evil too. > Server name could not be influenced by an attacker (if yes, you have an > error in your server configuration)? But http host yes. But server name does > not contain the protocol anyway, no? I think I've seen the host header used when apache used * as the vhost... but yeah, as you point out that doesn't include protocol, so back to the same problem. > You could use $_SERVER["HTTPS"]: > https://stackoverflow.com/questions/1175096/how-to-find-out-if-you-are-using- > https-without-serverhttps > > But then you will have to make sure that your forward proxy daemon properly > sets this (if you run MediaWiki behind it, what you do at mediawiki.org it > seems). $request->getProtocol(). You've been away too long :) -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
