dotjs loads scripts insecurely, "breaking" SSL on every site #76

Closed
Peeja opened this Issue Sep 17, 2012 · 11 comments

Comments

Projects
None yet
6 participants

Peeja commented Sep 17, 2012

For instance, on GitHub, I get the lock-with-warning-sign in the address bar. In the console, I see:

The page at https://github.com/defunkt/dotjs/issues/new displayed insecure content from http://localhost:3131/github.com.js.

And, of course, it doesn't matter if I have a github.com.js, because it still has to try to load it to find out.

I'd be surprised if this isn't a known issue, but I couldn't find an issue about it.

Contributor

smgt commented Oct 1, 2012

This error started to pop up when I updated Chrome. Guess Chrome have changed something in the security policy.

👍

Could this be fixed by changing "http://" to just "//" here? https://github.com/defunkt/dotjs/blob/master/ext/dotjs.js#L2

Peeja commented Oct 1, 2012

Can't test it right now, but that sounds right.

@smgt smgt added a commit to smgt/dotjs that referenced this issue Oct 1, 2012

@smgt smgt Fix the unsecure resources warning in Chrome
as proposed by @starzonmyarmz
fixes #76
8b1a593
Contributor

smgt commented Oct 2, 2012

Ok, there seems to be a new security policy in Chrome 22. In the extension documentation it is stated that you can allow loading scripts with content_security_policy from http://localhost but that does not work. The fix for the error will be released in Chrome 23. And // doesn't work since the dotjs webserver does not serve https. I was a little to fast when I tested it.

If the dotjs webserver doesn't serve https, maybe something like https://github.com/jugyo/tunnels could be used to proxy from https to it. I came across that gem in the context of having https for pow, but could apply here too.

Owner

defunkt commented Jan 17, 2013

Confirmed that tunnels works. Kind of annoying though.

zeke commented Jan 17, 2013

💡 piggyback on github's ssl by hacking the extension to point to https://raw.github.com/foo/bar/master/ instead of http://localhost:3131/.

Peeja commented Jan 17, 2013

@zeke You mean commit your .js/ and put it on GitHub? That would work, but it sounds like a pain.

Is there an easy way to spin up an nginx that tunnels? That would avoid the ugliness of RubyGems, and seems like a reasonable dependency.

Owner

defunkt commented Jan 17, 2013

Got this working with just WEBrick. You'll need to uninstall dotjs then install 2.0 to get the new stuff.

image

defunkt closed this Jan 17, 2013

Peeja commented Jan 17, 2013

Thanks! 🍻

zeke commented Jan 17, 2013

To uninstall: rake uninstall

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment