Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-46269

Convert http embedded content to https on https sites where available

    Details

    • Testing Instructions:
      Hide
      1. Administration > Site administration > Plugins > Manage Filters. Turn "Convert embedded content to match current HTTP security" to 'on'
      2. Change the site's wwwroot in config.php to https:
      3. Create a new course
      4. Include an image from an external site to it's description. Ensure that the site supports both http and https. Ensure that the url typed in is http.
      5. View the course list
      6. Check that the image is displayed
      7. Check that the https address is loaded. (Use open image in new tab or similar)
      Show
      Administration > Site administration > Plugins > Manage Filters. Turn "Convert embedded content to match current HTTP security" to 'on' Change the site's wwwroot in config.php to https: Create a new course Include an image from an external site to it's description. Ensure that the site supports both http and https. Ensure that the url typed in is http. View the course list Check that the image is displayed Check that the https address is loaded. (Use open image in new tab or similar)
    • Affected Branches:
      MOODLE_28_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-46269-master
    • Story Points (Obsolete):
      100

      Description

      This could be a once off thing (e.g. when someone changes from http to https and back) or a constant thing (whenever they add a link)

      Note that apache server can be configured to choose http or https automatically, and other servers may have similar functionality.

      The protocol relative url option can be considered as well. "//www.example.com" will link to https://www.example.com if you are on https://moodle.org or http://www.example.com if you are on http://moodle.org

      Finally, a filter could be made.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

              Hide
              johno John Okely added a comment -

              Blocking MDL-42834. The sooner this work is completed the better. The work for MDL-42834 covers a lot of code and as such will start to gain more and more conflicts as time goes by.

              Show
              johno John Okely added a comment - Blocking MDL-42834 . The sooner this work is completed the better. The work for MDL-42834 covers a lot of code and as such will start to gain more and more conflicts as time goes by.
              Hide
              johno John Okely added a comment -

              Moved to the top of the backlog so it can be scaled and prioritised.

              Show
              johno John Okely added a comment - Moved to the top of the backlog so it can be scaled and prioritised.
              Show
              johno John Okely added a comment - - edited http://docs.moodle.org/27/en/Filters http://docs.moodle.org/27/en/Convert_URLs_into_links_filter
              Hide
              johno John Okely added a comment -

              See db_replace in lib/adminlib.php for an example of how to search and/or replace in the database

              Show
              johno John Okely added a comment - See db_replace in lib/adminlib.php for an example of how to search and/or replace in the database
              Hide
              johno John Okely added a comment -

              Discussion regarding this issue: https://moodle.org/mod/forum/discuss.php?d=265155

              Show
              johno John Okely added a comment - Discussion regarding this issue: https://moodle.org/mod/forum/discuss.php?d=265155
              Hide
              moodle.com moodle.com added a comment -

              Removing this from the sprint so we can focus on Gradebook work.

              Show
              moodle.com moodle.com added a comment - Removing this from the sprint so we can focus on Gradebook work.
              Show
              johno John Okely added a comment - https://code.google.com/p/phpquery/
              Hide
              johno John Okely added a comment -

              Added patch. Not ready for deployment. Unit tests need to be expanded and code modified to account for more external content and more edge cases.

              Show
              johno John Okely added a comment - Added patch. Not ready for deployment. Unit tests need to be expanded and code modified to account for more external content and more edge cases.
              Hide
              cibot CiBoT added a comment -

              Fails against automated checks.

              Checked MDL-46269 using repository: git://github.com/xow/moodle.git

              More information about this report

              Show
              cibot CiBoT added a comment - Fails against automated checks. Checked MDL-46269 using repository: git://github.com/xow/moodle.git master (branch: MDL-46269-master | CI Job ) Coding style problems found More information about this report
              Show
              poltawski Dan Poltawski added a comment - https://www.w3.org/TR/upgrade-insecure-requests/ http://caniuse.com/#feat=upgradeinsecurerequests
              Hide
              kstokking Kris Stokking added a comment -

              Blackboard is working on a variant of the search and replace tool that will grab all domains found in embedded links and then test their SSL support using curl. We give the admin a sense of A) the amount of domains in use that are NOT configured for SSL and B) the amount of associated content using those domains. If they wish, the site administrator can then automatically replace all of the HTTP links with the HTTPS equivalent.

              We think this will be a better approach than introducing a filter, as:

              1. This gives them some sense of the safety of transitioning to sitewide SSL before they do so.
              2. We questioned the feasibility of using a filter in a production environment. We don't want admins switching back to HTTP. We don't want the use of insecure content.
              3. It's one less required filter (slight performance gain).

              We plan to open source this plugin once it's ready, and we could expedite that if other developers were interested in contributing.

              Show
              kstokking Kris Stokking added a comment - Blackboard is working on a variant of the search and replace tool that will grab all domains found in embedded links and then test their SSL support using curl. We give the admin a sense of A) the amount of domains in use that are NOT configured for SSL and B) the amount of associated content using those domains. If they wish, the site administrator can then automatically replace all of the HTTP links with the HTTPS equivalent. We think this will be a better approach than introducing a filter, as: 1. This gives them some sense of the safety of transitioning to sitewide SSL before they do so. 2. We questioned the feasibility of using a filter in a production environment. We don't want admins switching back to HTTP. We don't want the use of insecure content. 3. It's one less required filter (slight performance gain). We plan to open source this plugin once it's ready, and we could expedite that if other developers were interested in contributing.
              Hide
              brendanheywood Brendan Heywood added a comment -

              +10 I was thinking of writing something just like this myself

              Show
              brendanheywood Brendan Heywood added a comment - +10 I was thinking of writing something just like this myself
              Hide
              johno John Okely added a comment -

              Thanks for commenting that Kris Stokking and excellent points. It will be great to have the tool shared publicly as it will aid us in getting loginhttps deprecated (MDL-42834)

              Show
              johno John Okely added a comment - Thanks for commenting that Kris Stokking and excellent points. It will be great to have the tool shared publicly as it will aid us in getting loginhttps deprecated ( MDL-42834 )
              Hide
              poltawski Dan Poltawski added a comment -

              Note as well as Content-Security-Policy: upgrade-insecure-requests (which I would definitely enable as a stopgap, even if it isn't supported by every browser yet) there is the interesting Content-Security-Policy-Report-Only which could potentially used by admins to find problem areas
              https://developers.google.com/web/fundamentals/security/prevent-mixed-content/fixing-mixed-content?hl=en#handle-mixed-content-at-scale

              Show
              poltawski Dan Poltawski added a comment - Note as well as Content-Security-Policy: upgrade-insecure-requests (which I would definitely enable as a stopgap, even if it isn't supported by every browser yet) there is the interesting Content-Security-Policy-Report-Only which could potentially used by admins to find problem areas https://developers.google.com/web/fundamentals/security/prevent-mixed-content/fixing-mixed-content?hl=en#handle-mixed-content-at-scale
              Hide
              kstokking Kris Stokking added a comment -

              Good tip Dan Poltawski! That could be useful for large sites who aren't sure where the mixed content uses reside.

              Brendan Heywood and John Okely - Great to hear. We have the script going through internal QA cycles right now. I'm on vacation this week, but when I return I'll discuss an early release of the plugin to our Github account with David Scotson.

              Show
              kstokking Kris Stokking added a comment - Good tip Dan Poltawski ! That could be useful for large sites who aren't sure where the mixed content uses reside. Brendan Heywood and John Okely - Great to hear. We have the script going through internal QA cycles right now. I'm on vacation this week, but when I return I'll discuss an early release of the plugin to our Github account with David Scotson .

                People

                • Votes:
                  9 Vote for this issue
                  Watchers:
                  18 Start watching this issue

                  Dates

                  • Created:
                    Updated: