Page 1 of 1

[fixed] 1.10 Beta3: more unencrypted data with SSL admin

Posted: Wed Sep 21, 2011 11:18 am
by fredp
I made a clean install of 1.10-beta3 on a server with it's own (non-shared) SSL cert. Next, I applied the patches described in this post: Re: CMSMS 1.10 Beta3 is available to track down other observed cases of unencrypted data being sent over the network during an SSL admin session. Here's a list of what I've found so far:
  1. I captured the headers from a page reload of the Extensions ยป MicroTiny WYSIWYG editor page and extracted a list of thirteen (unencrypted) http: URLs requested (see attached).
  2. It appears that MicroTiny init. code used by the backend during an SSL admin session also contains URLs based on $config['root_url'] rather than $config['ssl_url'].

    Code: Select all

    #grep http: /tmp/cache/mt_0f3d9d7e1635a606aa639e5d24f05R75b
                           image : 'http://example.com/modules/MicroTiny/images/cmsmslink.gif',
      document_base_url : "http://example.com/",
      var cmsURL = "http://example.com/modules/MicroTiny/filepicker.php?_sx_=0ca14680&type="+type;
Note: the site's config.php contained:

Code: Select all

$config['admin_url'] = 'https://example.org/my.admin';
$config['root_url'] = 'http://example.org';
$config['ssl_url']   = 'https://example.org';

Re: CMSMS 1.10 Beta3: more unencrypted data with SSL admin

Posted: Fri Sep 30, 2011 1:57 pm
by deactivated010521
confirmed MicroTiny calls http:// assets when $config['admin_url'] = 'https://example.org';

==

It seems that it's possible to not specify the http:// or https:// protocol in the config.php to get around this issue as:

Code: Select all

$config['root_url'] = '//example.org';
See:
http://paulirish.com/2010/the-protocol-relative-url/

I think I am going to use this in my templates for mixed (http://, https:// enviroments).

Re: CMSMS 1.10 Beta3: more unencrypted data with SSL admin

Posted: Fri Sep 30, 2011 10:19 pm
by fredp
arnoud wrote:confirmed MicroTiny calls http:// assets when $config['admin_url'] = 'https://example.org';
==
It seems that it's possible to not specify the http:// or https:// protocol in the config.php to get around this issue as:
...
True. There are pros and cons to using scheme-relative URLs, just as there are to root-relative URLs, which have a slightly different set of advantages and disadvantages. Of course, absolute URLs have their own issues -- hence, this problem report. ;)

Last time I looked, root-relative ("path absolute" in RFC3986 lingo) were generally preferred, particularly in CDN situations. But, I haven't used them much with CMSMS.

One small advantage to root-relative URLs, is that they are shorter than absolute or scheme-relative URLs, since the browser is supposed to fill in the missing info (scheme, hostname, etc) from the request:

Code: Select all

$config['root_url'] = '/';
$config['uploads_url'] = '/uploads';
One good & bad thing about root-relative is that they make it a bit harder for evil website scrapers to copy your site. On the downside, this tends to mean you need a virtual host setup when working on a local web server--so the path portions of the URLs match.

But i digress... ;-)

Re: CMSMS 1.10 Beta3: more unencrypted data with SSL admin

Posted: Sun Oct 09, 2011 2:38 pm
by calguy1000
fixed in svn.