#6668 Login overlay iframe may not work if on http page

v1.0.1
closed
General
2015-08-20
2013-09-18
No

If you're on an http page, and the login overlay is used, and the fragment URL is on https and specifies the X-Frame-Options: SAMEORIGIN header, then it will not load.

I think we should make the scheme of the login overlay page match that of the iframe fragment URL.

Discussion

  • Cory Johns

    Cory Johns - 2013-09-19
    • status: open --> in-progress
    • assigned_to: Cory Johns
     
  • Cory Johns

    Cory Johns - 2013-09-19
    • status: in-progress --> code-review
    • Size: --> 2
     
  • Cory Johns

    Cory Johns - 2013-09-19

    allura:cj/6668
    configtree:cj/6668

     
  • Dave Brondsema

    Dave Brondsema - 2013-09-20

    I don't like that we'll have to add to the force_ssl.pattern regex every time we add a login_overlay page. And for something like [#6514] where the URLs are dynamic, it wouldn't even work.

    It'd be so much better if its possible to have login_overlay trigger the redirect to https. I guess the problem is that we still need a way for the middleware to allow the https request and not redirect back to http.

     

    Related

    Tickets: #6514

  • Cory Johns

    Cory Johns - 2013-09-20

    I completely agree. However, the SSL redirect happens well before we have any idea whether the page will use login_overlay. The only real alternative that I can see is doing away with the force-to-http behavior in Allura entirely (the PSP would still presumably force to http as normal).

    I did consider trying to have the login_overlay indicate to the middleware that it needs to be https, but the only two ways I could come up with for doing that (setting a cookie or adding a query param) seemed pretty ugly to me, and if it fails for whatever reason, the user will end up in a redirect loop.

     
  • Cory Johns

    Cory Johns - 2013-09-20

    Version to always use https is in:
    allura:cj/6668b

     
  • Dave Brondsema

    Dave Brondsema - 2013-09-20
    • Milestone: forge-sep-20 --> forge-oct-04
     
  • Dave Brondsema

    Dave Brondsema - 2013-09-24

    I am thinking we should have both the force_ssl_pattern pattern and "always https" (although controlled by a config option). This will give flexibility to the server admins to configure it to their needs and desires.

     
  • Dave Brondsema

    Dave Brondsema - 2013-10-03
    • status: code-review --> closed
    • QA: Dave Brondsema
     

Log in to post a comment.