-
Notifications
You must be signed in to change notification settings - Fork 57
Migrate to https-only #354
Comments
Depends on #335 |
Now depends on eclipse-archived/ceylon-web-ide-backend#89 |
Web IDE now supports HTTPS, main website still gives the now unnecessary 403. |
@lucaswerkmeister yes, isn't that issue #389? |
well yes, I consider that one to be a duplicate of this issue. (I guess it’s a bit more specific since this issue wants HTTPS-only, i. e. redirect all non-https accesses to HTTPS.) (And on that topic… even Herd, which is already HTTPS-only, doesn’t send HSTS headers. It should totally do that.) |
HSTS headers? So many things I don't know |
HTTP Strict Transport Security. You send a header, like
which tells the user agent (i. e., browser) to
The effect is similar to a regular redirect, but it’s more secure – once you’ve seen an HSTS header, your browser does the redirect automatically, and you can’t be MITM’ed before the secure connection is established. (HSTS does some other things as well, like disabling “add exception” if there’s an SSL error, but that’s not as relevant.) The next level is HPKP, HTTP Public Key Pinning. You put a max-age into it, plus a hash of your certificate. (The RFC conveniently gives you an |
Cool thanks :) |
Btw, both issues that were identified as blockers for this issue have been closed, so I guess this can now move forward. |
Done. |
With HSTS and everything! Thanks, man! |
I'm told that "Firefox has blocked parts of this page that are not secure". |
|
Weird: $ git clean -fdx && grep -rF $'disqus.com\nfonts.googleapis.com'
_ext/mydisqus.rb: dsq.src = "//#{site.disqus}.disqus.com/embed.js";
_ext/mydisqus.rb: <noscript>Please enable JavaScript to view the <a href="//disqus.com/?ref_noscript=#{site.disqus}">comments powered by Disqus.</a></noscript>
_ext/mydisqus.rb: s.src = "//disqus.com/forums/#{site.disqus}/count.js";
_layouts/base.html.haml: %link{ :href=>'//fonts.googleapis.com/css?family=Source+Sans+Pro|PT+Sans|PT+Sans:700|Inconsolata|Inconsolata:700|Arvo', :rel=>'stylesheet', :type=>'text/css' }
blog/2016-04-20-ceylon-on-mobile.md: https://fonts.googleapis.com No |
I’m not seeing those errors in the console anymore. @tombentley do you still get them? Perhaps it was caching or something |
Nope, they're gone for me too now. |
… proper (counted) download URLs for Ceylon Bootstrap
No description provided.
The text was updated successfully, but these errors were encountered: