Remote files in design parse file give HTTPS security warning

tomchadwin · March 27, 2014, 9:31am

I've inherited a design whose parse file brings in some remote content - from googleapis.com and googlecode.com. The design will be used in both HTTP and HTTPS. Viewing the design in an HTTPS page obviously therefore throws a security warning.

Would people recommend hard-coding the parse file always to request the HTTPS address for these remote files? Or is there a better way of doing this?

aleks · March 27, 2014, 9:34am

You should change the implementation of googleapi/googlecode so that it's auto switching between http/https.

or

host the files yourself

tomchadwin · March 27, 2014, 10:09am

A show_if design area has done the trick:

<MySource_AREA id_name="httpScripts" design_area="show_if">
<MySource_SET name="condition" value="server_variable"/>
<MySource_SET name="condition_server_variable" value="HTTPS" />
<MySource_SET name="condition_server_variable_match" value="on" />
  <MySource_THEN>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.8.0/jquery.min.js" type="text/javascript"></script>
<!--[if IE]><script src= https://html5shiv.googlecode.com/svn/trunk/html5.js></script><![endif]-->
  </MySource_THEN>
  <MySource_ELSE>
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.8.0/jquery.min.js" type="text/javascript"></script>
<!--[if IE]><script src= http://html5shiv.googlecode.com/svn/trunk/html5.js></script><![endif]-->
  </MySource_ELSE>
</MySource_AREA>

tomchadwin · March 27, 2014, 10:12am

Though be aware that testing for a value of "on" for $_SERVER['HTTPS'] is server-specific. If you want to do something similar, just output %globals_server_https% and call your page under both HTTP and HTTPS to see what values are returned.

Benjamin_Pearson · March 27, 2014, 10:59am

Tried just using //ajax.googleapis.com/ajax/libs/jquery/1.8.0/jquery.min.js ? The double slash is a common shortcut to indicate the current protocol the page is on now.

Source: https://stackoverflow.com/questions/9646407/two-forward-slashes-in-a-url-src-href-attribute

tomchadwin · March 27, 2014, 11:06am

Fifteen years coding HTML, and I'd never heard of this. Thank you so much.

Bart · March 31, 2014, 10:09am

What Ben said is your ideal solution, but just an FYI that you can also dynamically print the current protocol using a keyword modifier:

%globals_server_SERVER_PROTOCOL^contains:HTTPS:https:http%

fuzzi81 · April 3, 2014, 12:10am

Oooo I think that’s a fix for us too!