Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HTTPS Everywhere still breaks area51.stackexchange.com login #14452

Closed
vyznev opened this issue Jan 27, 2018 · 4 comments

Comments

Projects
None yet
2 participants
@vyznev
Copy link

commented Jan 27, 2018

Type: ruleset issue

Domain: area51.stackexchange.com

See https://area51.meta.stackexchange.com/questions/13597/area-51-openid-login-is-broken-with-https/27726#27726 for more details, but it looks like the Stack Exchange ruleset should still have an exclusion for http://area51.stackexchange.com/users/authenticate/, something like this:

<!-- https://area51.meta.stackexchange.com/questions/13597/area-51-openid-login-is-broken-with-https -->
<exclusion pattern="^http://area51\.stackexchange\.com/users/authenticate/" />

Area 51 runs a distinct and somewhat obsolescent fork of the Stack Exchange codebase, and apparently this problem (which used to be more general, see issue #58) still occurs there.

Ps. Also, while investigating this, I noticed that the ruleset syntax documentation happens to feature as an example a very similar but broader exclusion that would've caught this. However, that exclusion was apparently removed from the actual ruleset in commit 783d040.

Pps. This may have been previously reported as issue #7275, but that report was a bit lacking in details.

@Bisaloo

This comment has been minimized.

Copy link
Collaborator

commented Jan 27, 2018

As far as I can tell, this is not an https issue but a parameters issue. We need a more complex redirect than just rule from="^http:" to="https:".

Looking into this now.

@Bisaloo

This comment has been minimized.

Copy link
Collaborator

commented Jan 27, 2018

Uh no, you are right. There are 3 requests:

Status Method File Domain
302 GET /users/authenticate?openid_identifier=... https://area51.stackexchange.com
302 GET /openid/provider?openid.claimed_id=... https://openid.stackexchange.com
200 GET /users/authenticate/?s=... http://area51.stackexchange.com
@Bisaloo

This comment has been minimized.

Copy link
Collaborator

commented Jan 27, 2018

Could you also report this issue in the main Stack Exchange thread please?

@vyznev

This comment has been minimized.

Copy link
Author

commented Jan 27, 2018

That's probably not necessary, since the SE devs should be monitoring bug reports on all Meta sites. But just in case, here goes: https://meta.stackexchange.com/a/306308

@J0WI J0WI closed this in #14454 Feb 1, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.