Secured the entire (public) site
Review Request #199 - Created Feb. 29, 2012 and updated
Information | |
---|---|
Adrian Budau | |
infoarena | |
Reviewers | |
hackers | |
Modified the site so that we won't get any warning about insecure content on secured connections. For local clones you also have to modify the ia theme so that the folders aren't prepended with "http://" but with "//". The link to do this is : "Configuare" -> "Tema curenta". Go there and modify the 2 folder links. We can not do this for the administration of the forum(forum admin) because too many hacks would be included. Admins should be okay with this. Image Urls are now local so we do not need to keep track of whether they are http or https. Newsletter tamplates have been changed(on live) so now we can write newsletter using absolute urls and it will work Also many lint fixes.
I hope you tested this on a lot of browsers. There are some issues with how this is handled so far: - Newsletters fail because they do not contain absolute urls anymore, we need to render them with absolute urls. Newsletters were the only reason we ever used url_absolute as far as I can tell, so I would say just remove all url_absolutes by default and have something like a global variable that can be set in scripts which forces URLs to be absolute. - Attachments still have absolute urls, and image urls inside textile are cached, so sometimes you get https images and sometimes you get http. - Clicking on the login or register buttons automatically redirects you to https (as is correct), but keeps you in https for the remainder of your visit. This may be unwanted behaviour; you need to look at the last page (!= register, login) that the user visited and decide if he was using https or not.
-
trunk/smf/Themes/default/index.template.php (Diff revision 1) -
Just don't use url_absolute at all.
Review request changed
Change Summary:
Removed all the url_absolute(that could have been removed) and occurences of IA_URL. Fixed newsletters and image attachments in wiki. The login and register https <-> http changing problem is still not solved, I would rather we have a certificate instead so staying on https will be a good thing.
Description: |
|
||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Diff: |
Revision 2 (+44 -50) |