Serving ZeroClipboard SWF from CDNJS fails when used from HTTPS page and then from HTTP page #632
Comments
yeah something wrong with the cdnjs version |
This is almost certainly due to HSTS (which CDNJS enabled relatively recently). If your browser supports HSTS and you access cdnjs over https, it will insist on redirecting any http requests to https for that domain for the next 180 days (based on the Update/clarification: cdnjs.cloudflare.com does not currently send the |
Thanks @kangaechigai for clarifying this! I circumvented this issue in my project by using jsDelivr and locally-hosted files. |
It looks like it can't be loaded from cdnjs in later Chrome versions. zeroclipboard/zeroclipboard#632 The long term fix is to use something else to get copy to work. SWF doesn't really feel like the future ;) Ref #371
@kangaechigai The linked tweet says that HSTS was only turned on for the website and API, not the CDN assets which are hosted from the cdnjs.cloudflare.com subdomain. I'm not sure this would have had an effect in this case. Does the src attribute in the script tag load via http or https? |
@ScottHelme It's true that the tweet I linked to didn't explicitly state that HSTS was enabled for CDN assets, but it was the closest thing I could find then to indicate an approximate timeline. HSTS is definitely enabled for ajax.cdnjs.com, which is where the actual ZeroClipboard.swf asset is hosted. cdnjs.com (including all subdomains) is also now in Chrome's HSTS preload list. |
Most assets on CDNJS are loaded from |
I hadn't actively tested anything but the ZeroClipboard.swf asset, since that was what I was trying to use and what this thread is really about, but I think you're correct for the majority of CDNJS assets. I'll try to go back and update my comments above later to clarify. It looks like ZeroClipboard.js can load insecurely, but it doesn't actually work on insecure pages, because it depends on ZeroClipboard.swf, which redirects to http://ajax.cdnjs.com/ajax/libs/zeroclipboard/2.2.0/ZeroClipboard.swf and ends up on https, since
That redirect to |
cdnjs broke zeroclipboard by enabling hsts zeroclipboard/zeroclipboard#632
cdnjs broke zeroclipboard by enabling hsts zeroclipboard/zeroclipboard#632
This issue is causing some concern around deploying HSTS to cdnjs.cloudflare.com, which hosts ZeroClipboard. But as @terinjokes noted at cdnjs/cdnjs#4328 (comment) in August 2016:
So adding HTML5 support would make a meaningful difference in security enforcement for modern browsers. |
I use the approach described in Cross-Protocol Limitations to serve ZeroClipboard.swf from CDNJS on pages for which the protocol can vary. Things worked fine until yesterday, but today I've noticed that it doesn't work for pages served over HTTP any more, but for ones using HTTPS it works fine. I use the following configuration:
I tried to use HTTP explicitly for content served over HTTP, but this also doesn't work now:
Thank you for any input!
The text was updated successfully, but these errors were encountered: