linaro-license-protection

Chrome won't read CSS/JS from http URLs in a https page

Bug #1085007 reported by Данило Шеган on 2012-11-30

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	linaro-license-protection	Fix Released	Critical	Stevan Radaković	linaro-license-protection 2013.02

Bug Description

Chrome doesn't want to load CSS or JS from http URLs like http://www.linaro.org/remote/css/init.css. Network tab in the inspector shows messages like:

[blocked] The page at https://snapshots.linaro.org/quantal/restricted/integrated-big.little-fastmodels/1 ran insecure content from http://www.linaro.org/remote/css/init.css.
[blocked] The page at https://snapshots.linaro.org/quantal/restricted/integrated-big.little-fastmodels/1 ran insecure content from http://www.linaro.org/remote/css/remote.css.
[blocked] The page at https://snapshots.linaro.org/quantal/restricted/integrated-big.little-fastmodels/1 ran insecure content from http://www.linaro.org/remote/js/linarofamily.js.

Easiest fixes would be to either switch to accessing those using https://linaro.org/ (but that gives out a certificate for asklinaro.org) or to copy files over (which might not be that bad after all, since if that CSS disappears, snapshots/releases will be ugly).

Alternatively, we can set up request forwarding in our app.

Related branches

lp:~stevanr/linaro-license-protection/bug1085007

Merged into lp:~linaro-automation/linaro-license-protection/trunk at revision 164

Paul Sokolovsky: Approve on 2013-02-21

Linaro Infrastructure: Pending requested 2013-02-21

lp:~stevanr/linaro-license-protection/bug-1085007

Merged into lp:~linaro-automation/linaro-license-protection/trunk at revision 171

Данило Шеган (community): Approve on 2013-02-28

Данило Шеган (danilo) on 2012-12-28

Changed in linaro-license-protection:
milestone:	2012.12 → 2013.01

David Zinman (dzinman) on 2013-02-01

Changed in linaro-license-protection:
assignee:	nobody → Данило Шеган (danilo)
milestone:	2013.01 → 2012.02

Revision history for this message

Paul Sokolovsky (pfalcon) wrote on 2013-02-05:

+1 for just copying files to be local to server. Other solutions won't work by the same security check reasons, or more cumbersome and flaky.

Changed in linaro-license-protection:
milestone:	2012.02 → 2013.02

Revision history for this message

Paul Sokolovsky (pfalcon) wrote on 2013-02-07:

Actually, I see even worse situation:

Note things like "http:///css/linaro.css" (I didn't even think it's valid URL). In linaro-license-protection/templates/header.html we have:

href="{% if request.is_secure %}https{% else %}http{% endif %}://{{ request.get_host }}/css/linaro.css"

apparently, that's too complicated and not going to work - SSL is served by frontend web server, if our app is proxied, it won't get any chance to know if it's behind SSL.

href="/css/linaro.css"

should be well enough, and that's first change I'd propose to do.

Revision history for this message

Paul Sokolovsky (pfalcon) wrote on 2013-02-07:

Ok, it seems that conditional handling like above was done by Stevan:

    revno: 129.2.10
    committer: Stevan Radakovic <email address hidden>
    branch nick: textile-view
    timestamp: Mon 2012-10-15 13:14:42 +0200
    message:
      Fix js and css path issues.
    - <link rel="stylesheet" type="text/css" href="resources/css/ext-all.css" />
    + <link rel="stylesheet" type="text/css" href="{% if request.is_secure %}https{% else %}http{% endif %}://{{ request.get_host }}/resources/css/ext-all.css" />

So, I'll let him to comment.

Revision history for this message

Stevan Radaković (stevanr) wrote on 2013-02-12:

Yes, those lines where introduced by me when we were adding the jQuery and jQuery-UI libraries.
I will try fixing this by simply putting the path as you suggested.
One thing that concerns me Paul is that I cannot seem to find this 'ext-all.css' file nowhere in our code base (not even with bzr log), and it's not present on the server (production nor staging) in any familiar paths.
So I don't think it will be fixed simply by changing path (because for that one there is an error in both firefox and chrome, the file simply does not exist)... Any ideas regarding this?

Paul Sokolovsky (pfalcon) on 2013-02-13

Changed in linaro-license-protection:
assignee:	Данило Шеган (danilo) → Stevan Radaković (stevanr)

Revision history for this message

Paul Sokolovsky (pfalcon) wrote on 2013-02-13:

Indeed, ext-all.css is neither in linaro-license-protection bzr repo, nor at http://snapshots.linaro.org/resources/css/ext-all.css . So, I guess few things should be done for this bug:

1. Remove refs to stale css files.
2. Reference other css/js with schama/host-less absolute paths.
3. Mirror www.linaro.org's css into linaro-license-protection bzr repo and install them locally on snapshots.linaro.org. (Preferrably, write simple script to automate updating of mirrored files - just couple of wget's).

Revision history for this message

Данило Шеган (danilo) wrote on 2013-02-18:

Note that this will soon apply to releases.linaro.org as well. As for CSS, we can also provide a proxy request that will read the file directly from linaro.org (with good e-tag and cache headers, it should not cause any problems performance-wise).

Revision history for this message

Данило Шеган (danilo) wrote on 2013-02-18:

Once this bug is fixed, please comment on https://rt.linaro.org/Ticket/Display.html?id=800 to enable https redirect on releases.linaro.org.

Данило Шеган (danilo) on 2013-02-21

Changed in linaro-license-protection:
status:	Triaged → Fix Committed

Stevan Radaković (stevanr) on 2013-02-28

Changed in linaro-license-protection:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

auto-rt.linaro.org #800 Edit

Bug watches keep track of this bug in other bug trackers.