New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Insecure content from Google chart API #501

Closed
gitblit opened this Issue Aug 12, 2015 · 7 comments

Comments

Projects
None yet
1 participant
@gitblit
Owner

gitblit commented Aug 12, 2015

Originally reported on Google Code with ID 205

What steps will reproduce the problem?
1. Use gitblit behind reverse proxy over https
2. Browse to any activity page
3. Get a warning about mixed content

What is the expected output? What do you see instead?
The page should only load secure content from "https://chart.apis.google.com". It actually
loads content from "http://chart.apis.google.com"

What version of the product are you using? On what operating system?
1.2-SNAPSHOT, ubuntu precise

Please provide any additional information below.
This Gerrit is embedded inside of Gerrit as a plugin for repository browsing, but that
shouldn't make a difference.

Reported by chorohoe@wikimedia.org on 2013-02-13 18:09:23

@gitblit

This comment has been minimized.

Show comment
Hide comment
@gitblit

gitblit Aug 12, 2015

Owner
Do you mean the Activity page pie charts or the Summary or Metric pages?

The Activity page pie charts should already be loading from https - this uses a pure
JS api wrapped by custom Gitblit code.

The Summary and Metric pages currently use the Wicket GoogleCharts extension which
is known to use http calls.  I can't control that without building that package from
source - which I do not plan to attempt.

I'll put it on the list to write new code to use the JS api on the Summary and Metric
pages, but it won't get attention for a while.

Reported by James.Moger on 2013-02-13 18:35:33

Owner

gitblit commented Aug 12, 2015

Do you mean the Activity page pie charts or the Summary or Metric pages?

The Activity page pie charts should already be loading from https - this uses a pure
JS api wrapped by custom Gitblit code.

The Summary and Metric pages currently use the Wicket GoogleCharts extension which
is known to use http calls.  I can't control that without building that package from
source - which I do not plan to attempt.

I'll put it on the list to write new code to use the JS api on the Summary and Metric
pages, but it won't get attention for a while.

Reported by James.Moger on 2013-02-13 18:35:33

@gitblit

This comment has been minimized.

Show comment
Hide comment
@gitblit

gitblit Aug 12, 2015

Owner
All, actually. Compare the following URLs:

https://gerrit.wikimedia.org/r/plugins/gitblit/summary/?r=mediawiki/extensions/CodeReview.git
https://gerrit.wikimedia.org/r/plugins/gitblit/metrics/?r=mediawiki/extensions/CodeReview.git
https://gerrit.wikimedia.org/r/plugins/gitblit/activity/

Reported by chorohoe@wikimedia.org on 2013-02-14 20:40:46

Owner

gitblit commented Aug 12, 2015

All, actually. Compare the following URLs:

https://gerrit.wikimedia.org/r/plugins/gitblit/summary/?r=mediawiki/extensions/CodeReview.git
https://gerrit.wikimedia.org/r/plugins/gitblit/metrics/?r=mediawiki/extensions/CodeReview.git
https://gerrit.wikimedia.org/r/plugins/gitblit/activity/

Reported by chorohoe@wikimedia.org on 2013-02-14 20:40:46

@gitblit

This comment has been minimized.

Show comment
Hide comment
@gitblit

gitblit Aug 12, 2015

Owner
Huh.  Must be a browser setting to ignore that.  I don't see it on FF, Chrome, or Opera.
 I must have disabled that message somehow.

Reported by James.Moger on 2013-02-14 21:35:46

Owner

gitblit commented Aug 12, 2015

Huh.  Must be a browser setting to ignore that.  I don't see it on FF, Chrome, or Opera.
 I must have disabled that message somehow.

Reported by James.Moger on 2013-02-14 21:35:46

@gitblit

This comment has been minimized.

Show comment
Hide comment
@gitblit

gitblit Aug 12, 2015

Owner
Actually, I was mistaken about the Activity page...fixed with using X-Forwarded-(Proto|Port).

Problem still appears for me on summary and metrics pages (eg: https://git.wikimedia.org/summary/mediawiki*extensions*Echo.git
and https://git.wikimedia.org/metrics/mediawiki*extensions*Echo.git)

Reported by chorohoe@wikimedia.org on 2013-04-29 20:07:27

Owner

gitblit commented Aug 12, 2015

Actually, I was mistaken about the Activity page...fixed with using X-Forwarded-(Proto|Port).

Problem still appears for me on summary and metrics pages (eg: https://git.wikimedia.org/summary/mediawiki*extensions*Echo.git
and https://git.wikimedia.org/metrics/mediawiki*extensions*Echo.git)

Reported by chorohoe@wikimedia.org on 2013-04-29 20:07:27

@gitblit

This comment has been minimized.

Show comment
Hide comment
@gitblit

gitblit Aug 12, 2015

Owner
The Summary and Metric pages both use a canned Wicket library that does not offer protocol
choices.  This is issue-61.  I have not decided how to fix this yet.

It looks like you have switched from the Gitblit-Gerrit plugin.  Was it handicapped
or limited somehow?  I suspect that Gitiles will displace most to all interest in Gitblit-Gerrit.

Reported by James.Moger on 2013-04-30 11:25:19

Owner

gitblit commented Aug 12, 2015

The Summary and Metric pages both use a canned Wicket library that does not offer protocol
choices.  This is issue-61.  I have not decided how to fix this yet.

It looks like you have switched from the Gitblit-Gerrit plugin.  Was it handicapped
or limited somehow?  I suspect that Gitiles will displace most to all interest in Gitblit-Gerrit.

Reported by James.Moger on 2013-04-30 11:25:19

@gitblit

This comment has been minimized.

Show comment
Hide comment
@gitblit

gitblit Aug 12, 2015

Owner
In that case, we can probably mark this as a dupe of issue 357.

Only handicap was having to recompile the plugin to change gitblit.properties (not
a deal breaker)...main reason for switching was to move repo browsing off of Gerrit
and onto its own box. Being able to configure Gitblit without recompiling was just
an added bonus.

Reported by chorohoe@wikimedia.org on 2013-04-30 11:48:39

Owner

gitblit commented Aug 12, 2015

In that case, we can probably mark this as a dupe of issue 357.

Only handicap was having to recompile the plugin to change gitblit.properties (not
a deal breaker)...main reason for switching was to move repo browsing off of Gerrit
and onto its own box. Being able to configure Gitblit without recompiling was just
an added bonus.

Reported by chorohoe@wikimedia.org on 2013-04-30 11:48:39

@gitblit

This comment has been minimized.

Show comment
Hide comment
@gitblit

gitblit Aug 12, 2015

Owner
> Only handicap was having to recompile the plugin to change gitblit.properties (not
a deal breaker)...

Yeah, I don't know why they did it that way.

Reported by James.Moger on 2013-04-30 11:54:22

  • Status changed: Duplicate
  • Merged into: #357
Owner

gitblit commented Aug 12, 2015

> Only handicap was having to recompile the plugin to change gitblit.properties (not
a deal breaker)...

Yeah, I don't know why they did it that way.

Reported by James.Moger on 2013-04-30 11:54:22

  • Status changed: Duplicate
  • Merged into: #357

@gitblit gitblit closed this Aug 12, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment