Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

// urls shouldn't get changed to http #16

Open
xet7 opened this issue Mar 8, 2018 · 5 comments
Open

// urls shouldn't get changed to http #16

xet7 opened this issue Mar 8, 2018 · 5 comments

Comments

@xet7
Copy link
Member

xet7 commented Mar 8, 2018

From @mrdomino on March 1, 2016 17:41

I wrote a post with a script src="//some/url" in it (specifically, an embedded tweet). In the published site, that became an http link. Since I'm static-publishing over https, that means it didn't resolve.

Can't set up a wordpress instance to try to get a more complete report unfortunately, but hopefully that's a good start.

Acceptable alternatives would be to just point to https, or to preseve the //.

Copied from original issue: dwrensha/wordpress-sandstorm#22

@xet7
Copy link
Member Author

xet7 commented Mar 8, 2018

From @JamborJan on November 28, 2016 15:0

What is missing here is a force https feature or something like this. I have the same issue for external content and I'm not sure how to solve it. When I use plugins or themes whcih use e.g. Google Fonts I get:

[Warning] [blocked] The page at https://randomxyz.nameo.sandcats.io was not allowed to run insecure content from http://fonts.googleapis.com/css?family=PT+Sans+Narrow:400,700&subset=latin,latin-ext,cyrillic. (randomxyz.name.sandcats.io, line 51)

I guess Wordpress doesn't detect the fact that the page is https because Sandstorm works like reverse proxy here and inside the grain there is only an http connection from Sandstorm to the in-grain nginx server (or whatever you use inside the grain).

The sad story is: I didn't find a solution so far and the sandstorm guys seem to be pretty busy with other stuff as this repo and the issues inside are not updated since months.

@xet7
Copy link
Member Author

xet7 commented Mar 8, 2018

From @ocdtrekkie on November 28, 2016 15:6

@JamborJan It's worth noting that when Sandstorm sandboxing is more complete, external content like Google Fonts is likely not going to work at all without some sort of permission grant by Sandstorm.

@xet7
Copy link
Member Author

xet7 commented Mar 8, 2018

From @JamborJan on November 28, 2016 15:27

There is a rather philosophical problem with that. Technical wise this might all be true, awesome and secure. But these things bring problems for a sane usage of the Sandstorm WorPress port. There will pretty often be issues with:

  • people want to use themes and plugins which use external resources. It should be possible for the user to allow external content for a grain (different topic, not here)
  • insecure mixed content is more and more not allowed at all (the core of this issue) the way how the grain is setup prevents WordPress from detecting https. This should be fixed.
  • its not possible to create a https page with a customised name without being an reverse proxy expert (not this issue here, see: setup https page with wordpress on sandstorm dwrensha/wordpress-sandstorm#25)

So yes, you could stick to the explanation you gave but this will cause that users will not use wordpress on sandstorm and the goal of sandstorm of providing easy to install apps fur none-tech users which work out of the box is gone.

@xet7
Copy link
Member Author

xet7 commented Mar 8, 2018

From @ocdtrekkie on November 28, 2016 15:31

All I'm indicating is that the problem needs to be more holistically addressed. I don't know if it's possible for Sandstorm to maybe detect external resources and replace them when it's common ones like jQuery or Google Fonts, or if there needs to be some flavor of Sandstorm driver for external content or something.

@xet7
Copy link
Member Author

xet7 commented Mar 8, 2018

From @JamborJan on January 16, 2017 6:57

I was able to always get an https prefix when I add this to the top of my template in the header.php:

<?php
/* SSL Proxy */
$_SERVER['HTTPS']='on';
?>

Unfortunately causes this the following Wordpress on Sandstorm bug for every single link: dwrensha/wordpress-sandstorm#15

So for now this is no work around but maybe soon.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant