Remote files in design parse file give HTTPS security warning

tomchadwin · 2014-03-27 09:31:23 UTC

I've inherited a design whose parse file brings in some remote content - from googleapis.com and googlecode.com. The design will be used in both HTTP and HTTPS. Viewing the design in an HTTPS page obviously therefore throws a security warning.

Would people recommend hard-coding the parse file always to request the HTTPS address for these remote files? Or is there a better way of doing this?

aleks · 2014-03-27 09:34:32 UTC

You should change the implementation of googleapi/googlecode so that it's auto switching between http/https.

or

host the files yourself

tomchadwin · 2014-03-27 10:09:58 UTC

A show_if design area has done the trick:

<MySource_AREA id_name="httpScripts" design_area="show_if">
<MySource_SET name="condition" value="server_variable"/>
<MySource_SET name="condition_server_variable" value="HTTPS" />
<MySource_SET name="condition_server_variable_match" value="on" />
  <MySource_THEN>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.8.0/jquery.min.js" type="text/javascript"></script>
<!--[if IE]><script src= https://html5shiv.googlecode.com/svn/trunk/html5.js></script><![endif]-->
  </MySource_THEN>
  <MySource_ELSE>
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.8.0/jquery.min.js" type="text/javascript"></script>
<!--[if IE]><script src= http://html5shiv.googlecode.com/svn/trunk/html5.js></script><![endif]-->
  </MySource_ELSE>
</MySource_AREA>

tomchadwin · 2014-03-27 10:12:36 UTC

Though be aware that testing for a value of "on" for $_SERVER['HTTPS'] is server-specific. If you want to do something similar, just output %globals_server_https% and call your page under both HTTP and HTTPS to see what values are returned.

Benjamin_Pearson · 2014-03-27 10:59:38 UTC

Tried just using //ajax.googleapis.com/ajax/libs/jquery/1.8.0/jquery.min.js ? The double slash is a common shortcut to indicate the current protocol the page is on now.

Source: https://stackoverflow.com/questions/9646407/two-forward-slashes-in-a-url-src-href-attribute

tomchadwin · 2014-03-27 11:06:00 UTC

Fifteen years coding HTML, and I'd never heard of this. Thank you so much.

Bart · 2014-03-31 10:09:31 UTC

What Ben said is your ideal solution, but just an FYI that you can also dynamically print the current protocol using a keyword modifier:

%globals_server_SERVER_PROTOCOL^contains:HTTPS:https:http%

fuzzi81 · 2014-04-03 00:10:08 UTC

Oooo I think that’s a fix for us too!