-
assigned issue to
Simon Chupin
What is the point of not using HTTPS all the time when connecting to app.amanote.com?
Issue #4
resolved
In the amanote_get_clicktoamanote(), the protocol to use when connecting app.amanote.com is determined based on the current protocol to use when talking to Moodle. Why? You should always use HTTPS. otherwise, things like the user's username would be transmitted via plain text, which is a bad thing from security point of view.
Comments (10)
-
-
In the case where the moodle site is not accessible through https, the user has to connect to app.amanote.com through http to prevent Mixed Content errors when loading a Moodle file in the application (cannot execute http request to moodle from a site served with https).
The plugin now checks whether the moodle site is accessible through https by checking the httpswwwroot property of the global variable $CFG instead of checking the currently used protocol.
-
reporter
I don't think so. The Mixed Content errors appears when the browser loads a page via HTTPS and some embedded content - such as images - are served via HTTP. But this is different:
- Firstly, you are not embedding any content right? You would just have a link from HTTP page to a HTTPS page.
- Secondly, upgrading the protocol from HTTP to HTTPS would not raise the Mixed Content warning as it does not represent any security problem.
I still believe you should simply always use HTTPS.
-
The Mixed Content error is triggered when we achieve a call from the application (Amanote in HTTPS) to the moodle site (HTTP) to retrieve and load the document linked to the annotatable file.
Here is a screenshot of the error happening with our moodle site:
When the moodle site is accessible via HTTPS, we obviously make the call with HTTPS, but when the site is not served with HTTPS at all, the only way we found to cope with this issue was to redirect to the application (Amanote) in HTTP.
However, we agree that this is not an optimal solution and we are looking forward any suggestion to get around the Mixed Content error if it is possible.
-
reporter
Aha. I thought that the Amanote server fetches the file from Moodleand serves it back to the browser. Do I get it right that you let the browser to do it? If that is on purpose and the only way to do it, maybe you could degrade from HTTPS to HTTP only after the user credentials are transmitted?
-
reporter
(please note, I still think that sharing the username is the primary problem here - as reported in the other issue)
-
Yes, that's right and that's on purpose.
If that is on purpose and the only way to do it, maybe you could degrade from HTTPS to HTTP only after the user credentials are transmitted?
We will consider this solution.
(please note, I still think that sharing the username is the primary problem here - as reported in the other issue)
We are currently working on this too
Thank you for your comments
-
reporter
Hmm. I can see that inthe latest version, you are simply passing the Moodle's URL as always using the https protocol. I don't think that's a step in good direction - unless you simply want to drop support for Moodles on HTTP.
If you have a Moodle site that does not have HTTPS implemented, then attempting to open the PDF Amanote displays "Error - An error occurred while opening the document from Moodle."
Was that really the intention?
-
Yes, we always pass the Moodle's URL using https on purpose.
We are aware of the current error displaying in our application when the Moodle site does not have HTTPS implemented. This will be fixed in an upcoming release of our application where we will check for possibility to connect to the Moodle site with HTTPS and fallback to HTTP otherwise.
-
- changed status to resolved
- Log in to comment
