#6668 Login overlay iframe may not work if on http page


If you're on an http page, and the login overlay is used, and the fragment URL is on https and specifies the X-Frame-Options: SAMEORIGIN header, then it will not load.

I think we should make the scheme of the login overlay page match that of the iframe fragment URL.


  • Cory Johns - 2013-09-19
    • status: open --> in-progress
    • assigned_to: Cory Johns
  • Cory Johns - 2013-09-19
    • status: in-progress --> code-review
    • Size: --> 2
  • Cory Johns - 2013-09-19


  • Dave Brondsema

    Dave Brondsema - 2013-09-20

    I don't like that we'll have to add to the force_ssl.pattern regex every time we add a login_overlay page. And for something like [#6514] where the URLs are dynamic, it wouldn't even work.

    It'd be so much better if its possible to have login_overlay trigger the redirect to https. I guess the problem is that we still need a way for the middleware to allow the https request and not redirect back to http.



    Tickets: #6514

  • Cory Johns - 2013-09-20

    I completely agree. However, the SSL redirect happens well before we have any idea whether the page will use login_overlay. The only real alternative that I can see is doing away with the force-to-http behavior in Allura entirely (the PSP would still presumably force to http as normal).

    I did consider trying to have the login_overlay indicate to the middleware that it needs to be https, but the only two ways I could come up with for doing that (setting a cookie or adding a query param) seemed pretty ugly to me, and if it fails for whatever reason, the user will end up in a redirect loop.

  • Cory Johns - 2013-09-20

    Version to always use https is in:

  • Dave Brondsema

    Dave Brondsema - 2013-09-20
    • Milestone: forge-sep-20 --> forge-oct-04
  • Dave Brondsema

    Dave Brondsema - 2013-09-24

    I am thinking we should have both the force_ssl_pattern pattern and "always https" (although controlled by a config option). This will give flexibility to the server admins to configure it to their needs and desires.

  • Dave Brondsema

    Dave Brondsema - 2013-10-03
    • status: code-review --> closed
    • QA: Dave Brondsema

Log in to post a comment.