We are no longer offering accounts on this server. Consider https://gitlab.freedesktop.org/ as a place to host projects.

Commit 46d9496e authored by Brion Vibber's avatar Brion Vibber

Tickets #2112, 2333, 1677, 2362, 2831: fix AJAX form posting on SSL page views with ssl=sometimes

These have been failing for ages due to our outputting full URLs all the time, usually with the default protocol instead of the current one.
Forms would get output with an http: URL in their contents even when destined for an HTTPS page; while a regular form submission would just warn you about the secure->insecure transition, the AJAX code was failing outright and then not bothering to fall back to the regular submission.

I found it was easy to detect the mismatch -- just check the target URL and the current page's protocol before submitting.

Since failing over to non-AJAX submission to the HTTP URL throws up a warning, I figured it'd be easier (and much nicer for users) to just let it rewrite the target URL to use the secure protocol & hostname before doing the final submit.
This check is now automatically done for anything that calls SN.U.FormXHR() -- making most of our buttons on notices and profile/group headers work naturally.
The notice form setup code also runs the rewrite, which gets posting working without an error dialog.

I'd prefer in the long run to simply use relative URLs in most of our output; it avoids this problem completely and lets users simply stay in the current protocol mode instead of being constantly switched back to HTTP when clicking around.
(Note that folks using the SSLAlways extension to Firefox, for instance, will have their browsers constantly sending them back to HTTP pages, mimicking the desired user experience even though we haven't fully implemented it. These folks are likely going to be a lot happier with forms that submit correctly to go along with it!)
parent 532178e3
......@@ -241,6 +241,26 @@ var SN = { // StatusNet
* Helper function to rewrite default HTTP form action URLs to HTTPS
* so we can actually fetch them when on an SSL page in ssl=sometimes
* mode.
* It would be better to output URLs that didn't hardcode protocol
* and hostname in the first place...
* @param {String} url
* @return string
RewriteAjaxAction: function(url) {
// Quick hack: rewrite AJAX submits to HTTPS if they'd fail otherwise.
if (document.location.protocol == 'https:' && url.substr(0, 5) == 'http:') {
return url.replace(/^http:\/\/[^:\/]+/, 'https://' + document.location.host);
} else {
return url;
* Grabs form data and submits it asynchronously, with 'ajax=1'
* parameter added to the rest.
......@@ -261,7 +281,7 @@ var SN = { // StatusNet
type: 'POST',
dataType: 'xml',
url: form.attr('action'),
url: SN.U.RewriteAjaxAction(form.attr('action')),
data: form.serialize() + '&ajax=1',
beforeSend: function(xhr) {
......@@ -316,6 +336,9 @@ var SN = { // StatusNet
SN.C.I.NoticeDataGeo = {};
form.append('<input type="hidden" name="ajax" value="1"/>');
// Make sure we don't have a mixed HTTP/HTTPS submission...
form.attr('action', SN.U.RewriteAjaxAction(form.attr('action')));
* Show a response feedback bit under the new-notice dialog.
This diff is collapsed.
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment