-
Notifications
You must be signed in to change notification settings - Fork 186
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cross-scripting issue (lack of HTTPS endpoint for jquery requests) #200
Comments
Reviewing https://github.com/uscensusbureau/citysdk/blob/master/js/citysdk.census.js it looks like the HTTP protocol is hardcoded in a number of places. I think best practice would be to favor I'm reluctant to submit a PR as I'm not too familiar with the code base :) |
Hello Aron, The challenge is far more interesting than it looks. Many of the Census APIs fully support https but some are still awaiting fully signed certificates. Additionally some of the external APIs that are available in CitySDK are http-only. As a result, we haven't yet enabled support for https (if not for this we absolutely would already be using http/https agnostic approaches). [base email logo] Tor N. Johnson From: Aron Ahmadia <notifications@github.commailto:notifications@github.com> Reviewing https://github.com/uscensusbureau/citysdk/blob/master/js/citysdk.census.js it looks like the HTTP protocol is hardcoded in a number of places. I think best practice would be to favor // style protocol-relative URLS everywhere as suggested here: https://blog.httpwatch.com/2010/02/10/using-protocol-relative-urls-to-switch-between-http-and-https/ I'm reluctant to submit a PR as I'm not too familiar with the code base :) — |
Sure, but in this specific case, Tiger already supports HTTPS. Since all of these are hard-coded requests to Tiger, why not relax the protocol requirement? |
The primary reason is that the geocoder API is a bit of a problem child and it's called in several different request scenarios including tigerweb requests. Switching just tigerweb opens us to a huge mess of testing and debugging for anybody implementing the library. That was the bad news. There is good news! The next release as soon as it gets through the review process moves all endpoint definitions into object-level variables. That way there is nothing that would prevent you from re-defining the tigerweb endpoint in any way desired. This is an imminent release that SHOULD appear in the next week or so. [base email logo] Tor N. Johnson From: Aron Ahmadia <notifications@github.commailto:notifications@github.com> Sure, but in this specific case, Tiger already supports HTTPS. Since all of these are hard-coded requests to Tiger, why not relax the protocol requirement? — |
…le has been updated. Moved API endpoint of Farmer's Market to a setting in the module Created test scripts for Farmer's Market
we are currently working on resolving this issue. As a temporary workaround you could change the endpoint for tiger web to use
|
v2 released (beta) jquery is no longer in the stack |
It looks like TigerWeb supports HTTPS, so this may be a simple fix on the CitySDK end.
The text was updated successfully, but these errors were encountered: