SECURITY VULNERABILITY - Logins
Jared Scheel
Remi - 8tracks
Unfortunately this is a case where user experience and security are
colliding.
The issue is that the page is loaded with http, and on the website we
open up a lightbox for login, the login form is then submitted through
XMLHttpRequest and I'm pretty sure that we cannot submit the form in
HTTPS if the page was loaded through HTTP.
Now, I'm not the first person to deal with this and I found a good
thread about it here:
http://stackoverflow.com/questions/1105934/ajax-http-https-problem
Anyone knows the best way forward?
Remi
--
Rémi Gabillet
8tracks CTO & co-founder
Daniel Drozdzewski
There are few things you guys could look into:
1) why can't you point the lightbox to call the login through https.
I.e. pass to your lightbox https://8tracks.com/login instead of
http://8tracks.com/login.
This way the form submission using https:// would happen from a page
loaded via https:// (this is my thinking anyway). It will not make
the user happy anyway, as they will see http:// (no padlock) in the
address box of their browser.
2) try forcing nginx to rewrite all http requests to 8tracks.com/login
to use https://
Have a look here:
http://www.ruby-forum.com/topic/179377
3) In case you get HTTP 411 (Length required) response from your
server to your ajax call, simply add empty data (Length:0) to your
https:// post request:
$.ajax({
url: url,
type: 'POST',
data: {}, // <- set empty data
success: function(data, textStatus) {
// do something
}
});
hope some of this helps.
make sure that http://8tracks.com and https://8tracks.com resolve to the same
You should be able to submit forms or ajax calls through https no problem.
--
Daniel Drozdzewski
Daniel Drozdzewski
disappear in the editing process. process fail!
On 11 February 2012 23:06, Daniel Drozdzewski
--
Daniel Drozdzewski
Jared Scheel
Remi - 8tracks
I've been working on this actually and we're going the CORS
(http://en.wikipedia.org/wiki/Cross-Origin_Resource_Sharing) way since
it's the easier for us to integrate. The only downside is that it
won't work on Opera so Opera users (all 0.6% of 8tracks users lol)
wont get https login unless they load the full login page.
I'll let you know when it's up.
Remi
--
Ray Slakinski
----
Ray Slakinski
Jared Scheel
On Tuesday, February 28, 2012 5:27:22 PM UTC-6, Remi Gabillet wrote:
Sorry for the late reply.I've been working on this actually and we're going the CORS
(http://en.wikipedia.org/wiki/Cross-Origin_Resource_Sharing) way since
it's the easier for us to integrate. The only downside is that it
won't work on Opera so Opera users (all 0.6% of 8tracks users lol)
wont get https login unless they load the full login page.I'll let you know when it's up.
Remi
Jared Scheel
Remi - 8tracks
secure login working last week but I was waiting to see how well it
works.
I just checked out your screencast, thanks for taking the time to put
it together. I actually thought of doing it the iframe way (we do this
in other places) but I really wanted to get Cross-Origin XHR requests
working. They worked okay but not that consistently across browsers so
I ended up going with JSONP since we had the API in place already.
As I went along, I did worry exactly about this question of url
encryption on https requests and found this on stack overflow:
http://stackoverflow.com/questions/499591/are-https-urls-encrypted
So I think we're good right? What's your take?
Remi
PS: Oh and I signed up for populr.me, it looks real nice.
Jared Scheel
in that answer are important too, like the server logs caching the
request (which is, I'm sure, solvable). Thanks for clarifying this for
me. BTW, thanks for signing up. We are planning on sending out beta
invitations in October. In the meantime, here's a quick pop I made a
little while ago that embeds an 8tracks player. It's pretty sparse
(just some text, and 8tracks embed, and a soundcloud embed), but the
page only took 2 minutes to make :)
http://jscheel.populr.me/the-bass-i-dropped-it?ba
-Jared