Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cross-scripting issue (lack of HTTPS endpoint for jquery requests) #200

Closed
ahmadia opened this issue Jan 11, 2016 · 6 comments
Closed

cross-scripting issue (lack of HTTPS endpoint for jquery requests) #200

ahmadia opened this issue Jan 11, 2016 · 6 comments
Labels
bug

Comments

@ahmadia
Copy link

ahmadia commented Jan 11, 2016 

Mixed Content: The page at 'https://uscensusbureau.github.io/citysdk/examplecode.html' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://tigerweb.geo.census.gov/arcgis/rest/services/TIGERweb/tigerWMS_Curre…returnZ=false&returnM=false&gdbVersion=&returnDistinctValues=false&f=pjson'. This request has been blocked; the content must be served over HTTPS.

It looks like TigerWeb supports HTTPS, so this may be a simple fix on the CitySDK end.
@ahmadia
Copy link
Author

ahmadia commented Jan 11, 2016

Reviewing https://github.com/uscensusbureau/citysdk/blob/master/js/citysdk.census.js it looks like the HTTP protocol is hardcoded in a number of places.

I think best practice would be to favor // style protocol-relative URLS everywhere as suggested here: https://blog.httpwatch.com/2010/02/10/using-protocol-relative-urls-to-switch-between-http-and-https/

I'm reluctant to submit a PR as I'm not too familiar with the code base :)

@johnson-tor-boozallen
Copy link
Contributor

Hello Aron,

The challenge is far more interesting than it looks. Many of the Census APIs fully support https but some are still awaiting fully signed certificates. Additionally some of the external APIs that are available in CitySDK are http-only. As a result, we haven't yet enabled support for https (if not for this we absolutely would already be using http/https agnostic approaches).

[base email logo]

Tor N. Johnson
Associate
Desk: 571-346-4331
Mobile: 703-862-5790
Johnson_tor@bah.commailto:Johnson_tor@bah.com

From: Aron Ahmadia <notifications@github.commailto:notifications@github.com>
Reply-To: uscensusbureau/citysdk <reply@reply.github.commailto:reply@reply.github.com>
Date: Monday, January 11, 2016 at 5:06 PM
To: uscensusbureau/citysdk <citysdk@noreply.github.commailto:citysdk@noreply.github.com>
Subject: [External] Re: [citysdk] cross-scripting issue (lack of HTTPS endpoint for jquery requests) (#200)

Reviewing https://github.com/uscensusbureau/citysdk/blob/master/js/citysdk.census.js it looks like the HTTP protocol is hardcoded in a number of places.

I think best practice would be to favor // style protocol-relative URLS everywhere as suggested here: https://blog.httpwatch.com/2010/02/10/using-protocol-relative-urls-to-switch-between-http-and-https/

I'm reluctant to submit a PR as I'm not too familiar with the code base :)


Reply to this email directly or view it on GitHubhttps://github.com//issues/200#issuecomment-170706341.

@ahmadia
Copy link
Author

ahmadia commented Jan 11, 2016

Sure, but in this specific case, Tiger already supports HTTPS. Since all of these are hard-coded requests to Tiger, why not relax the protocol requirement?

@johnson-tor-boozallen
Copy link
Contributor

The primary reason is that the geocoder API is a bit of a problem child and it's called in several different request scenarios including tigerweb requests. Switching just tigerweb opens us to a huge mess of testing and debugging for anybody implementing the library.

That was the bad news. There is good news! The next release as soon as it gets through the review process moves all endpoint definitions into object-level variables. That way there is nothing that would prevent you from re-defining the tigerweb endpoint in any way desired. This is an imminent release that SHOULD appear in the next week or so.

[base email logo]

Tor N. Johnson
Associate
Desk: 571-346-4331
Mobile: 703-862-5790
Johnson_tor@bah.commailto:Johnson_tor@bah.com

From: Aron Ahmadia <notifications@github.commailto:notifications@github.com>
Reply-To: uscensusbureau/citysdk <reply@reply.github.commailto:reply@reply.github.com>
Date: Monday, January 11, 2016 at 5:41 PM
To: uscensusbureau/citysdk <citysdk@noreply.github.commailto:citysdk@noreply.github.com>
Cc: Tor Johnson <johnson_tor@bah.commailto:johnson_tor@bah.com>
Subject: [External] Re: [citysdk] cross-scripting issue (lack of HTTPS endpoint for jquery requests) (#200)

Sure, but in this specific case, Tiger already supports HTTPS. Since all of these are hard-coded requests to Tiger, why not relax the protocol requirement?


Reply to this email directly or view it on GitHubhttps://github.com//issues/200#issuecomment-170714585.

johnson-tor-boozallen added a commit to johnson-tor-boozallen/citysdk that referenced this issue Jan 29, 2016
@johnson-tor-boozallen
Related to uscensusbureau#200. Census APIs are now fully SSL and modu…
6b7c098 
…le has been updated.

Moved API endpoint of Farmer's Market to a setting in the module

Created test scripts for Farmer's Market
@ghost ghost mentioned this issue May 17, 2016
Closed
@ghost
Copy link

ghost commented Jun 1, 2016

we are currently working on resolving this issue. As a temporary workaround you could change the endpoint for tiger web to use https instead of http. For example:

CensusModule.prototype.DEFAULT_ENDPOINTS.tigerwebURL = "https://tigerweb.geo.census.gov/arcgis/rest/services/TIGERweb/";

@mezerotm mezerotm mentioned this issue Jun 1, 2016
Closed
@ghost ghost mentioned this issue Dec 9, 2016
Closed
@loganpowell
Copy link
Member

v2 released (beta) jquery is no longer in the stack

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ahmadia @loganpowell @johnson-tor-boozallen