mozilla · jpetto · Jul 31, 2013 · Jul 27, 2013
diff --git a/bedrock/base/templates/macros.html b/bedrock/base/templates/macros.html
@@ -30,9 +30,9 @@
 
     <form class="billboard newsletter-form{% if request.newsletter_form.errors %} has-errors{% endif %}"
           {% if footer %}
-             id="footer-email-form" action="#footer-email-form"
+             id="footer-email-form" action="{{ secure_url() }}#footer-email-form"
           {% else %}
-              id="newsletter-form" action=""
+              id="newsletter-form" action="{{ secure_url() }}"
           {% endif %}
           method="post">
       {% if footer %}

diff --git a/bedrock/firefox/templates/firefox/mobile/sms-send.html b/bedrock/firefox/templates/firefox/mobile/sms-send.html
@@ -14,7 +14,7 @@ <h2>{{_('Fast. Smart. Safe.')}}</h2>
 </div>
 
 <div id="main-content">
-  <form id="sms-send" method="post">
+  <form id="sms-send" method="post" action="{{ secure_url() }}">
     <h2>
     {# L10n: The line break in this headline is for visual formatting only #}
     {% trans %}

diff --git a/bedrock/firefox/templates/firefox/partners/index.html b/bedrock/firefox/templates/firefox/partners/index.html
@@ -481,7 +481,7 @@ <h3>{{ _('Thanks for your interest in partnering with us') }}</h3>
         <p>{{ _('We will review your request and get back to you about possibilities and opportunities soon.') }}</p>
       </div>
 
-      <form action="{{ url('about.partnerships.contact-bizdev') }}" role="dialog" aria-labelledby="get-involved-title" aria-describedby="get-involved-description" method="POST" id="sf-form" class="sf-form">
+      <form action="{{ secure_url('about.partnerships.contact-bizdev') }}" role="dialog" aria-labelledby="get-involved-title" aria-describedby="get-involved-description" method="POST" id="sf-form" class="sf-form">
 
       <input type="hidden" name="csrfmiddlewaretoken" value="{{ csrf_token }}">
 

diff --git a/bedrock/mozorg/helpers/misc.py b/bedrock/mozorg/helpers/misc.py
@@ -37,6 +37,17 @@ def url(viewname, *args, **kwargs):
     return url
 
 
+@jingo.register.function
+@jinja2.contextfunction
+def secure_url(ctx, viewname=None):
+    """Retrieve a full secure URL especially for form submissions"""
+    _path = url(viewname) if viewname else None
+    _url = ctx['request'].build_absolute_uri(_path)
+    if settings.DEBUG:
+        return _url
+    return _url.replace('http://', 'https://')
+
+
 @jingo.register.function
 def media(url):
     return path.join(settings.MEDIA_URL, url.lstrip('/'))

diff --git a/bedrock/mozorg/templates/mozorg/contribute-form.html b/bedrock/mozorg/templates/mozorg/contribute-form.html
@@ -4,7 +4,7 @@
 
 {% if not contribute_success or return_to_form %}
 <form class="billboard{% if form.errors %} has-errors{% endif %}"
-      action="#help-form" id="help-form" method="post">
+      action="{{ secure_url() }}#help-form" id="help-form" method="post">
   <input type="hidden" name="contribute-form" value="Y" />
 
   {% if contribute_success and return_to_form %}

diff --git a/bedrock/mozorg/templates/mozorg/contribute.html b/bedrock/mozorg/templates/mozorg/contribute.html
@@ -527,7 +527,7 @@ <h3>{{_('Antarctica')}}</h3>
             // ]]></script>
             <section>
               {% if not newsletter_success %}
-                <form action="#newsletter" method="post" id="newsletter-form">
+                <form action="{{ secure_url() }}#newsletter" method="post" id="newsletter-form">
                   <input type="hidden" name="newsletter-form" value="Y" />
                   <p>{{_('Sign up for a weekly newsletter that is full of community news and contribution opportunities.')}}</p>
                   {% if newsletter_form.errors %}

diff --git a/bedrock/mozorg/templates/mozorg/contribute_university_ambassadors.html b/bedrock/mozorg/templates/mozorg/contribute_university_ambassadors.html
@@ -18,7 +18,7 @@ <h2>{{ _('Show your university why Firefox rocks and encourage others to get inv
 
 {% block billboardcontent %}
   <form method="POST" class="billboard {% if form.non_field_errors() or form.errors %}has-errors{% endif %}"
-        id="ambassadors-form" action="#ambassadors-form">
+        id="ambassadors-form" action="{{ secure_url() }}#ambassadors-form">
     {{ csrf() }}
     <input type="hidden" name="source_url" value="{{ request.build_absolute_uri() }}">
       <div class="form-column">

diff --git a/bedrock/mozorg/templates/mozorg/partnerships.html b/bedrock/mozorg/templates/mozorg/partnerships.html
@@ -109,7 +109,7 @@ <h3>{{ _('Thank you') }}</h3>
     <h3>{{ _('Get started') }}</h3>
     <p>{{ _('Please complete the form below. Our partnership team will review your request and get back to you as soon as possible.') }}</p>
 
-    <form action="{{ url('about.partnerships.contact-bizdev') }}" method="POST" id="sf-form">
+    <form action="{{ secure_url('about.partnerships.contact-bizdev') }}" method="POST" id="sf-form">
 
     <input type="hidden" name="csrfmiddlewaretoken" value="{{ csrf_token }}">
 

diff --git a/bedrock/mozorg/tests/test_helper_misc.py b/bedrock/mozorg/tests/test_helper_misc.py
@@ -10,6 +10,7 @@
 from nose.tools import assert_false, eq_, ok_
 from pyquery import PyQuery as pq
 from bedrock.newsletter.tests.test_views import newsletters
+from funfactory.urlresolvers import reverse
 
 from bedrock.mozorg.tests import TestCase
 
@@ -25,6 +26,39 @@ def render(s, context={}):
     return t.render(context)
 
 
+@patch('django.conf.settings.LANGUAGE_CODE', 'en-US')
+class TestSecureURL(TestCase):
+    host = 'www.mozilla.org'
+    test_path = '/firefox/partners/'
+    test_view_name = 'about.partnerships.contact-bizdev'
+    req = RequestFactory(HTTP_HOST=host).get(test_path)
+
+    def _test(self, view_name, expected_url):
+        eq_(render("{{ secure_url('%s') }}" % view_name, {'request': self.req}),
+            expected_url)
+
+    @patch('django.conf.settings.DEBUG', True)
+    def test_on_dev_with_view_name(self):
+        # Should output a reversed path
+        self._test(self.test_view_name,
+                   'http://' + self.host + reverse(self.test_view_name))
+
+    @patch('django.conf.settings.DEBUG', True)
+    def test_on_dev_without_view_name(self):
+        # Should output the current, full URL
+        self._test('', 'http://' + self.host + self.test_path)
+
+    @patch('django.conf.settings.DEBUG', False)
+    def test_on_prod_with_view_name(self):
+        # Should output a reversed, full secure URL
+        self._test(self.test_view_name,
+                   'https://' + self.host + reverse(self.test_view_name))
+
+    @patch('django.conf.settings.DEBUG', False)
+    def test_on_prod_without_view_name(self):
+        # Should output the current, full secure URL
+        self._test('', 'https://' + self.host + self.test_path)
+
 @patch('bedrock.mozorg.helpers.misc.L10N_IMG_PATH', TEST_L10N_IMG_PATH)
 @patch('django.conf.settings.LANGUAGE_CODE', 'en-US')
 class TestImgL10n(TestCase):

diff --git a/bedrock/newsletter/templates/newsletter/existing.html b/bedrock/newsletter/templates/newsletter/existing.html
@@ -22,7 +22,7 @@ <h1>{{ _('Manage your <span>Newsletter Subscriptions</span>') }}</h1>
   {% endif %}
 
   {% if formset %}
-    <form method="post" action="" id="existing-newsletter-form" class="container billboard"
+    <form method="post" action="{{ secure_url() }}" id="existing-newsletter-form" class="container billboard"
         data-initial-newsletters='{{ newsletters_subscribed }}'>
       {{ formset.management_form }}
 

diff --git a/bedrock/newsletter/templates/newsletter/updated.html b/bedrock/newsletter/templates/newsletter/updated.html
@@ -21,7 +21,7 @@ <h3>{{ _('We’re sorry to see you go.')}}</h3>
     <div id="content" class="unsub billboard">
       <h4>{{_('Would you mind telling us why you’re leaving?') }}</h4>
 
-      <form action="{{ url('newsletter.updated') }}" method="post">
+      <form action="{{ secure_url('newsletter.updated') }}" method="post">
         <input type="hidden" name="unsub" value="2" />
         <input type="hidden" name="token" value="{{ token }}" />
         <table class="table">

diff --git a/bedrock/privacy/templates/privacy/privacy_contact.html b/bedrock/privacy/templates/privacy/privacy_contact.html
@@ -3,7 +3,7 @@
  # file, You can obtain one at http://mozilla.org/MPL/2.0/. #}
 
 {% if not form_submitted or (form_submitted and form_error) %}
-  <form name="contact_privacy" id="contact_privacy" action="#contactus" method="post">
+  <form name="contact_privacy" id="contact_privacy" action="{{ secure_url() }}#contactus" method="post">
     {{ csrf() }}
 
     <fieldset>

diff --git a/bedrock/tabzilla/templates/tabzilla/tabzilla.js b/bedrock/tabzilla/templates/tabzilla/tabzilla.js
@@ -451,7 +451,7 @@ var Tabzilla = (function (Tabzilla) {
     + '        </li>'
     + '        <li id="tabzilla-search">'
     + '          <a href="https://www.mozilla.org/community/directory.html?icn=tabz">{{ _('Website Directory')|js_escape }}</a>'
-    + '          <form title="{{ _('Search Mozilla sites')|js_escape }}" role="search" action="//www.google.com/cse">'
+    + '          <form title="{{ _('Search Mozilla sites')|js_escape }}" role="search" action="https://www.google.com/cse">'
     + '            <input type="hidden" value="002443141534113389537:ysdmevkkknw" name="cx">'
     + '            <input type="hidden" value="FORID:0" name="cof">'
     + '            <label for="q">{{ _('Search')|js_escape }}</label>'

diff --git a/media/js/firefox/os/desktop.js b/media/js/firefox/os/desktop.js
@@ -210,8 +210,7 @@
         var $form = $(this);
 
         $.ajax({
-          // Form action is just an anchor - must prepend current URL for IE.
-          url: document.location.href + $form.attr('action'),
+          url: $form.attr('action'),
           data: $form.serialize(),
           type: 'POST',
           success: function(data) {