insecure includes

[btbonval]

following from #109, chrome is complaining about (and likely blocking) some scripts.

Pulled this out of the console:

warning about an images:
The page at 'https://publiclab.org/notes/mathew/2-1-2013/american-kite-fishing-low-tech-kite-balloon-hybrid' was loaded over HTTPS, but displayed insecure content from 'http://publiclab.org/sites/default/files/imagecache/default/Screen%20shot%202013-01-31%20at%2010.26.29%20PM.png': this content should also be loaded over HTTPS.
The page at 'https://publiclab.org/notes/mathew/2-1-2013/american-kite-fishing-low-tech-kite-balloon-hybrid' was loaded over HTTPS, but displayed insecure content from 'http://publiclab.org/sites/default/files/imagecache/default/Screen%20shot%202013-01-31%20at%2010.26.29%20PM.png': this content should also be loaded over HTTPS.

chat is blocked on HTTPS:
[blocked] The page at 'https://publiclab.org/notes/mathew/2-1-2013/american-kite-fishing-low-tech-kite-balloon-hybrid' was loaded over HTTPS, but ran insecure content from 'http://chat.treehouse.su/?channels=publiclab&nick=btbonval': this content should also be loaded over HTTPS

Looks like Dogi never got a certificate for treehouse.su, so chat won't be available on https publiclab until we can encrypt it.

Although IRC is one of the least secure forms of communication I can think of. It'd kind of be a lie to have an IRC script run on https, because it's open text once it goes from the web backend to IRC.

[btbonval]

we could ditch IRC and run a chat backend as part of our rails app:
http://railscasts.com/episodes/316-private-pub?view=asciicast

[jywarren]

ditch IRC? but lots of people use 3rd party clients. Also you would make
dogi SO SAD

On Wed, Jun 25, 2014 at 6:39 PM, Bryan Bonvallet notifications@github.com
wrote:

we could ditch IRC and run a chat backend as part of our rails app:
http://railscasts.com/episodes/316-private-pub?view=asciicast

—
Reply to this email directly or view it on GitHub
#110 (comment).

[btbonval]

If we cut http, all the people who don't use external clients won't have access to the chat. I'm thinking the few hard cores can deal with leaving IRC if it is better for everyone else.

Alternatively we figure out how to get the IRC client behind SSL.

[btbonval]

"leaving" as in Publiclab using a different venue. Dogi will be on IRC either way ;)

[jywarren]

related to #58

[jywarren]

IRC client now behind SSL; resolved. Addressing this in jywarren/web#15.

[jywarren]

We also need to re-code instances of non-ssl in the codebase itself - wherever we use i.publiclab.org.

[jywarren]

In-code references are resolved now.

[jywarren]

Most content has now been changed in the database -- both DrupalNodeRevisions and DrupalComments:

• http://i.publiclab.org/*
• http://publiclab.org/sites/default/files/*
• http://publiclaboratory.org/sites/default/files/*
• http://www.youtube.com/*
• http://youtube.com/*
• http://flickr.com
• http://www.flickr.com
• http://farm1.staticflickr.com
• http://farm2.staticflickr.com
• http://farm3.staticflickr.com
• http://farm4.staticflickr.com
• http://farm5.staticflickr.com
• http://farm6.staticflickr.com
• http://farm7.staticflickr.com
• http://farm8.staticflickr.com
• http://farm9.staticflickr.com
• http://farm10.staticflickr.com

Except:

• http://mapknitter.org/*
• http://spectralworkbench.org/*

We're probably going to put both of those under SSL so their embeds work.

[jywarren]

This is looking good -- also scrubbed groups.google.com references in code for SSL. It's harder and harder to find a page that doesn't have the green lock icon now -- no warnings on any page I've seen.

[jywarren]

This is almost as done as we can make it within this codebase -- we're working on MapKnitter and SpectralWorkbench SSL certs. Once those are in place, we can finish this out with one last database batch change.

[jywarren]

Complete!