#6668 Login overlay iframe may not work if on http page
closed
General
2015-08-20
2013-09-18
No
If you're on an http page, and the login overlay is used, and the fragment URL is on https and specifies the X-Frame-Options: SAMEORIGIN header, then it will not load.
I think we should make the scheme of the login overlay page match that of the iframe fragment URL.
allura:cj/6668configtree:cj/6668I don't like that we'll have to add to the
force_ssl.patternregex every time we add alogin_overlaypage. And for something like [#6514] where the URLs are dynamic, it wouldn't even work.It'd be so much better if its possible to have
login_overlaytrigger the redirect to https. I guess the problem is that we still need a way for the middleware to allow the https request and not redirect back to http.Related
Tickets:
#6514I completely agree. However, the SSL redirect happens well before we have any idea whether the page will use login_overlay. The only real alternative that I can see is doing away with the force-to-http behavior in Allura entirely (the PSP would still presumably force to http as normal).
I did consider trying to have the login_overlay indicate to the middleware that it needs to be https, but the only two ways I could come up with for doing that (setting a cookie or adding a query param) seemed pretty ugly to me, and if it fails for whatever reason, the user will end up in a redirect loop.
Version to always use https is in:
allura:cj/6668bI am thinking we should have both the force_ssl_pattern pattern and "always https" (although controlled by a config option). This will give flexibility to the server admins to configure it to their needs and desires.