-
Notifications
You must be signed in to change notification settings - Fork 1.5k
Fix disappearing newsletter subscription form under https #117
Comments
On Dec 17, 2013, at 11:50 PM, @phumphrey wrote:
It remains in the backlog without any particular priority. Is this continuing to come up as a problem for you as described above? Perhaps @rwinch would be interested in putting together a pull request. Rob? |
On Dec 20, 2013, at 8:26 PM, @phumphrey wrote:
|
Roger that, @phumphrey. Hopefully @rwinch can weigh in here, though it might understandably be post-holidays. |
HSTS specification does not allow you to configure based upon the URL only by domain. So we would need to create a unique domain for the admin users to be using and ensure we are using that domain anytime users were administering the application. For example, we might create a URL like secure.spring.io that we could then force users to HTTPS. |
Sounds a bit complex to manage two domains. Imagine possible places where we have relative links going between admin and non admin. Is this what we really want? Also smells like an update to spring security docs is in order to raise awareness of this in case devs are trying to do similar things on their own site. Sent from my iPhone
|
Thanks @gregturn, agreed re: complexity, etc. @rwinch and I just chatted via voice and landed on this as a plan:
|
For now, we could put the 'Subscribe to our Newsletter' text inside the iframe so at least it doesn't look broken. The Pivotal Network team has started using the Marketo API. I'm assuming we could do the same. I'll ask them if they have any tips. |
Just heard back. They said they'd send their code over later this week. Meanwhile, I can work on the iframe change (to include the 'subscribe' text in the frame). |
This adds the 'subscribe to our newsletter' text to the newsletter subscription iframe so that when the iframe disappears in https, the section won't look like it's broken (as discussed in #117)
Our current HSTS configuration forces https everywhere on the site, resulting in internal users copying and pasting https urls instead of http. This is problematic because there are https-related bugs in a couple areas on the site, and external users shouldn't be exposed to these.
The text was updated successfully, but these errors were encountered: