Question about public OGP web services and HTTPS

[Jack Reed]

Greetings,

I wanted to ask the community if institutions are looking at migrating current web services (WMS, WFS) from HTTP to HTTPS? At Stanford we are moving to serving all content over HTTPS. This can present some problems when hosting federated metadata applications like GeoBlacklight or OpenGeoportal as they may request HTTP content from an HTTPS site (mixed content).

For wms tiles, this is not a huge issue as images are considered mixed passive content and will render. However, they still will log a message in the console.

For an example please see: https://earthworks.stanford.edu/catalog/tufts-cambridgegrid100-04

https://drive.google.com/file/d/0BzWuWHFTTIPEdlhwYUNRTndQMGM/view?usp=sharing

This mixed content can present a problem when doing things like layer inspection and IIIF queries client side (non image queries e.g. json response). We have implemented a layer inspection proxy in GeoBlacklight but would like to better understand other institution’s future plans. At Stanford we are serving both our restricted layers and public layers over HTTPS. It would be useful to know if others are looking at serving public resources using HTTPS.

Best,

Jack Reed
Geospatial Web Engineer
pjr...@stanford.edu
@mejackreed
(650)454-7398
Digital Library Systems and Services
Stanford, CA 94305

[Barnett, Christopher S]

Hi Jack,

We don’t have a specific plan to migrate our services, but I would like to see us all move in the direction of serving content via https. These days SSL overhead is negligible and I think it’s a best practice for working on the web. 

When I last explored using https for the Open Geoportal (2-3 years ago?), Chrome was blocking ALL mixed content and IE displayed a scary looking dialog. To use https would have required proxying all external services, since no one was using https for publicly available content.

This mixed content can present a problem when doing things like layer inspection and IIIF queries client side (non image queries e.g. json response). We have implemented a layer inspection proxy in GeoBlacklight but would like to better understand other institution’s future plans. At Stanford we are serving both our restricted layers and public layers over HTTPS. It would be useful to know if others are looking at serving public resources using HTTPS.

Won’t you have to proxy those anyway, since they are cross domain?

thanks,

Chris

--
Christopher Barnett
Geospatial Analyst, Research & Geospatial Technology Services
Tufts Technology Services (TTS)
16 Dearborn Rd.
Somerville, MA 02144
http://gis.tufts.edu

[Jack Reed]

Thanks for the response Chris.

Chrome and IE > 8 seem to be ok so far for the Mixed Passive Content in our brief testing.

And yes to your questions on the cross origin requests, unless servers are allowing these. This (enabling cross domain requests) seems to be the standard in the IIIF world as there are several client side projects that take advantage of this.

Jack

> --
> You received this message because you are subscribed to the Google Groups "OpenGeoportal Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to opengeoportal-...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Chris Barnett]

> And yes to your questions on the cross origin requests, unless servers are allowing these. This (enabling cross domain requests) seems to be the standard in the IIIF world as there are several client side projects that take advantage of this.

Nice! Sounds like a good standard to have for this kind of content. May be quite a while before we can expect the same in the geospatial world.

Have you thought about how you might handle geojson (or other feature) sources? Its been on my mind as something I think we should support.

I meant to add in my last message that I’ll plan on factoring in https support when we do our next GeoServer upgrade, but it may be a few months out.

thanks,
Chris