We're not doing SSL-everywhere afaict; so seems that we would want to keep the HTTP option when in HTTP.
Would love to see Infra providing a 'how many hardcoded http/https' report for each subdomain :) Hen On Fri, Jan 13, 2017 at 5:18 PM, Christopher <ctubb...@apache.org> wrote: > In most cases, the project developers should just make sure their > JavaScript and CSS resources in their page point to an HTTPS version. They > don't actually need to point to the HTTP location. > > On Fri, Jan 13, 2017, 20:06 Martin Gainty <mgai...@hotmail.com> wrote: > > > > > > > ________________________________ > > From: Christopher <ctubb...@apache.org> > > Sent: Friday, January 13, 2017 1:17 PM > > To: general@incubator.apache.org > > Subject: Re: HTTPS project sites > > > > No, I did not. This issue has nothing to do with same origin policy > (which > > most users should never try to disable). It's about mixed content. > > Accessing a site via https can give a false sense of security if the site > > itself depends on non-https content. > > > > In the past, many browsers would just show a mixed-content warning, which > > most users would probably ignore. Chrome's latest behavior (and I expect > > other browsers will follow eventually) tries to give a better indicator > of > > the degree of security a site has by not loading mixed-content by > default, > > and when the mixed-content is loaded, the page is explicitly marked "Not > > Secure". > > > > The end result is that project websites may not be presented to their > users > > in the way the developers intended. > > > > MG> > > http://stackoverflow.com/questions/18327314/how-to- > allow-http-content-within-an-iframe-on-a-https-site > > > > MG>he mentions various strategies..twiddling http headers to https, > > screen-scraping mixed-content to aggregate on secure site and proxies > > MG> as far as proxies he mentions ngrok<https://ngrok.com/usage> and > > mitmproxy<http://mitmproxy.org/>..my personal preference is Squid > > [ > > https://cdn.sstatic.net/Sites/stackoverflow/img/apple-touch- > i...@2.png?v=73d79a89bded > > ]< > > http://stackoverflow.com/questions/18327314/how-to- > allow-http-content-within-an-iframe-on-a-https-site > > > > > > > html - How to allow http content within an iframe on a ...< > > http://stackoverflow.com/questions/18327314/how-to- > allow-http-content-within-an-iframe-on-a-https-site > > > > > stackoverflow.com > > I load some HTML into an iframe but when a file referenced is using http, > > not https, I get the following error: [blocked] The page at > > {current_pagename} ran insecure ... > > > > > > > > MG>HTH > > MG>Martin- > > On Fri, Jan 13, 2017 at 12:54 PM Martin Gainty <mgai...@hotmail.com> > > wrote: > > > > > Hi Christopher > > > > > > > > > did you try disabling default x-domain block for XHR request > originating > > > from Chrome? > > > > > > > > > > > https://joshuamcginnis.com/2011/02/28/how-to-disable- > same-origin-policy-in-chrome/ > > How to: Disable Same-Origin Policy in Chrome | Josh McGinnis< > > https://joshuamcginnis.com/2011/02/28/how-to-disable- > same-origin-policy-in-chrome/ > > > > > joshuamcginnis.com > > How to enable cross-domain ajax requests in Chrome for development by > > disabling the same-origin policy. > > > > > > > > > > > > > > > How to: Disable Same-Origin Policy in Chrome | Josh McGinnis< > > > > > https://joshuamcginnis.com/2011/02/28/how-to-disable- > same-origin-policy-in-chrome/ > > How to: Disable Same-Origin Policy in Chrome | Josh McGinnis< > > https://joshuamcginnis.com/2011/02/28/how-to-disable- > same-origin-policy-in-chrome/ > > > > > joshuamcginnis.com > > How to enable cross-domain ajax requests in Chrome for development by > > disabling the same-origin policy. > > > > > > > > > > > > > joshuamcginnis.com > > > How to enable cross-domain ajax requests in Chrome for development by > > > disabling the same-origin policy. > > > > > > > > > ? > > > > > > Martin > > > ______________________________________________ > > > > > > > > > > > > ________________________________ > > > From: Christopher <ctubb...@apache.org> > > > Sent: Friday, January 13, 2017 12:34 PM > > > To: general@incubator.apache.org > > > Subject: HTTPS project sites > > > > > > Hi incubating projects, > > > > > > I noticed today that at least one incubating web site won't load > properly > > > in the latest version of Chrome with the default settings using HTTPS ( > > > https://htrace.incubator.apache.org/). > > Apache HTrace – About<https://htrace.incubator.apache.org/> > > htrace.incubator.apache.org > > Apache HTrace is an Apache Incubator project providing an open source > > framework for distributed tracing. It can be used with both standalone > > applications and libraries. > > > > > > > > > Apache HTrace - About<https://htrace.incubator.apache.org/> > > Apache HTrace – About<https://htrace.incubator.apache.org/> > > htrace.incubator.apache.org > > Apache HTrace is an Apache Incubator project providing an open source > > framework for distributed tracing. It can be used with both standalone > > applications and libraries. > > > > > > > > > htrace.incubator.apache.org > > > Apache HTrace is an Apache Incubator project providing an open source > > > framework for distributed tracing. It can be used with both standalone > > > applications and libraries. > > > > > > > > > > > > > > > This appears to be caused by Chrome being a bit aggressive about not > > > loading scripts from HTTP sources when the page itself is loaded with > > > HTTPS. > > > > > > Projects may wish to check their sites to ensure that their > > javascript/css > > > resources are loading correctly when using HTTPS. > > > > > > -- > > > Christopher > > > > > -- > > Christopher > > >
