Website serves some resources under HTTP instead of HTTPS
Visiting https://docs.sqlalchemy.org/ (notice the https
) in Firefox version 46.0 on Ubuntu 16.04 causes incorrect rendering because some resources are sent over an insecure connection (and Firefox blocks them).
A brief look in the developer tools reveals the following non-HTTPS display resources:
- http://www.sqlalchemy.org/img/sqla_logo.png
- http://www.sqlalchemy.org/img/dbtoolkit6.gif
- http://www.sqlalchemy.org/img/python-logo.gif
- http://www.sqlalchemy.org/favicon.ico
and active resources:
- http://www.sqlalchemy.org/css/print.css
- http://www.sqlalchemy.org/css/site.css
- http://www.sqlalchemy.org/js/doc_versions.js
- http://fonts.googleapis.com/css?family=Lato:400,700|Roboto+Slab:400,700
- http://fonts.googleapis.com/css?family=Source+Sans+Pro:400,600,400italic
These resources should be served over HTTPS.
Comments (14)
-
repo owner -
repo owner im confused. readthedocs is still serving plain http and no redirect to https occurs. the https link you give above already serves up a non-trusted certificate in any case (it's for readthedocs.org, not docs.sqlalchemy.org). Why are you even locating that link ?
-
reporter Hm I don't know, but I doubt it. That would basically undo the browser-side protection entirely.
If this is more of a RTD bug, I can report it there.
-
reporter I prefer to link to HTTPS sites whenever possible, and I have some links to SQLAlchemy documentation in my own project's documentation.
-
repo owner OK but SQLAlchemy doesn't have real https documentation available, at least without a certificate warning. We'd have to move our docs totally off readthedocs and I'd just host docs.sqlalchemy.org myself with a letsencrypt cert (fortunately I am hosting some of those now so I have infrastructure in place to support their auto-renewal process).
The best RTD can do is serve from your own site and use proxying http://docs.readthedocs.io/en/latest/alternate_domains.html#cname-ssl. which means I'd rather just host myself entirely.
-
reporter I don't really know how to fix this sort of thing, so it's really up to you, I guess. I was just letting you know :)
-
repo owner are there specific security concerns for browsing an http website in pure read only these days? attackers could view which part of SQLAlchemy you're working with....some kind of cross-scripting issue?
-
reporter From the Mozilla Developer Network article on Mixed content:
In the mixed active content case, a man-in-the-middle attacker can intercept the request for the HTTP content. The attacker can also rewrite the response to include malicious JavaScript code. Malicious active content can steal the user's credentials, acquire sensitive data about the user, or attempt to install malware on the user's system (by leveraging vulnerabilities in the browser or its plugins, for example).
-
repo owner oh i see...because the javascript "secure sandbox" is essentially permamently broken, basically all websites everywhere should be https. Makes sense. But kind of renders readthedocs useless.
-
reporter Not exactly: my project is hosted on readthedocs.io and has working https: https://flask-restless.readthedocs.io/en/latest and here is a project that is using readthdocs but uses a different domain: https://cryptography.io/
I don't know exactly what the difference is between these and SQLAlchemy.
-
repo owner I'm serving CSS and images from my own site and I havent turned on https for it.
-
reporter Is there a way of including them directly with the SQLAlchemy docs? Or with a separate Sphinx theme?
-
repo owner not really no.
-
repo owner - changed status to wontfix
unfortunately HTTPS documentation is not supported right now. SQLAlchemy would need to move its hosting off of readthedocs, since RTD's only solution here is to host via proxy in any case.
- Log in to comment
I'd rather not have to deal with that, as this is a read-only website. Isn't there some meta tag I can add to the main templates that convince firefox to please allow non-https resources? readthedocs and their constant backwards-incompatible changes and breakages are giving me more work than the site saves.