Opened 13 years ago

Closed 13 years ago

Last modified 12 years ago

#550 closed defect (fixed)

Mixed Content Bug in dojo/src/storage/Browser.js

Reported by: kindsol@… Owned by: dylan
Priority: high Milestone:
Component: Core Version: 0.3
Keywords: Mixed Media IE Cc: kindsol@…
Blocked By: Blocking:

Description

Hey now. I'm a fairly green newbie here and I am getting a "This page contains both secure and nonsecure items" security warning from my webapp in IE.

I am using the latest "kitchen sink" toolkit release 0.2.2. If I remove the inclusion of dojo.js the problem goes away. I found a similar issue about this (http://dojotoolkit.org/pipermail/dojo-checkins/2006-February/004104.html) but by making the suggested change in dojo.js, my problem did not go away.

It looks like the culprit is at line 79 in dojo/src/storage/browser.js which links to a macromedia shockwave site.

This line:

storeParts.push(' codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,0,0"');

will cause a Mixed-Content error in IE if the you are running on a secure server (https). By modifying the line to:

storeParts.push(' codebase="https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,0,0"');

..the problem goes away.

Just by including dojo.js (0.2.2 Kitchen Sink version) a bare bones HTML file and placing it on a secure server, you should see the error reproduced in IE.

-Sol

Change History (15)

comment:1 Changed 13 years ago by ktiedt@…

A possible fix... I emailed this to the interest list but since there is a ticket I'll post it here as well. I dont see why you could fix this problem by checking the window.location.href

writeStorage: function(){

var swfloc = dojo.uri.dojoUri("src/storage/Storage.swf").toString(); alert(swfloc); var storeParts = [

'<div id="dojo-storeContainer"',

'style="position: absolute; left: -300px; top: -300px;">'];

if(window.location.href.substr(4,1))==":"){ if position 4 is not : then we know its not http, assume https

urlPrefix = "http://";

}else{

urlPrefix = "https://";

} if(dojo.render.html.ie){

storeParts.push('<object'); storeParts.push(' style="border: 1px solid black;"'); storeParts.push(' classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"');

storeParts.push(' codebase="'+urlPrefix+'download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,0,0"'); storeParts.push(' width="215" height="138" id="dojoStorage">'); storeParts.push(' <param name="movie" value="'+swfloc+'">'); storeParts.push(' <param name="quality" value="high">'); storeParts.push('</object>');

}else{

storeParts.push('<embed src="'+swfloc+'" width="215" height="138" '); storeParts.push(' quality="high" '); storeParts.push(' pluginspage="'+urlPrefix+'www.macromedia.com/go/getflashplayer" '); storeParts.push(' type="application/x-shockwave-flash" '); storeParts.push(' name="dojoStorage">'); storeParts.push('</embed>');

} storeParts.push('</div>'); document.write(storeParts.join(""));

}

});

comment:2 Changed 13 years ago by kindsol@…

Suggestion from Sam Foster:

Why not be explicit about what you are matching for:

var protocol = "http"; var regexp = new RegExp?("https:", "i"); if( regexp.test(window.location.href) ) {

protocol = "https";

}

That's some pretty good hunting though Sol, glad you got to the bottom of it.

Sam

comment:3 Changed 13 years ago by anonymous

Priority: highestnormal

comment:4 Changed 13 years ago by anonymous

Owner: changed from anonymous to Dustin Machi

comment:5 Changed 13 years ago by Brad Neuberg

We should see if this still happens with the latest storage refactoring; it looks like the fix is to use the same scheme when loading the SWF files as the parent page has (i.e. use http or https or even file:// if the parent page is using this). I'll try to hit this before the 0.3 release

comment:6 Changed 13 years ago by sjmiles

Milestone: 0.3release0.3.1

Brad didn't make it for 0.3 ... moving to 0.3.1

comment:7 Changed 13 years ago by alex

Owner: changed from Dustin Machi to Brad Neuberg

comment:8 Changed 13 years ago by anonymous

Version: 0.20.4

I don't have a testing environment setup with a secure server to fix this bug and make sure it's fixed; does someone have such an environment? I also don't have the bandwidth right now to hit it; pushing to 0.4.

comment:9 Changed 13 years ago by anonymous

Milestone: 0.3.10.4
Version: 0.40.3

comment:10 Changed 13 years ago by dylan

Owner: changed from Brad Neuberg to dylan
Status: newassigned

comment:11 Changed 13 years ago by dylan

severity: normalblocker

comment:12 Changed 13 years ago by dylan

Resolution: fixed
Status: assignedclosed

(In [6221]) fixes #550, dojo.flash not working in an https environment

comment:13 Changed 13 years ago by dylan

(In [6224]) references #550, dojo.flash not working in an https environment... a better version of this patch

comment:14 Changed 13 years ago by dylan

(In [6225]) references #550, forgot the colon

comment:15 Changed 12 years ago by (none)

Milestone: 0.4

Milestone 0.4 deleted

Note: See TracTickets for help on using tickets.