-
Notifications
You must be signed in to change notification settings - Fork 84
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[bug]: Mixed http:// and https:// content when web-UI is loaded over http:// #2414
Comments
Please do some more testing that includes http/https in the URL, and also sure no security exceptions have been made for that certificate. Finally, how does this express itself to the user. What is the actual bug or problem? |
Unfortunately firefox hides the http:// part of any http:// URL. The way you can tell it was requested via http:// is the red slash through the lock icon. I've made no security exceptions for https://monthly-cages.local - I have its cert trusted in Debian's trust store.
Finally, there is seemingly no actual dysfunction. Logins still work. It's just a question of why it's actually happening. I don't think this request to https:// from http:// is intentional. I searched through the js but don't seem to be able to see what is actually inducing the browser to request http://monthly-cages.local/login |
Prerequisites
Server Hardware
Pure
StartOS Version
0344
Client OS
Linux
Client OS Version
Debian
Browser
Firefox
Browser Version
117
Current Behavior
When one loads their StartOS web-UI via http://, all elements on the page are loaded from http:// EXCEPT for one request to **https://startoswebui/login is induced. The referrer policy on the page is "strict-origin-when-cross-origin" so if a browser is actually paying attention to that referrer policy, https://startoswebui/login will be blocked from being requested. This is actually good afaict because if a user is at http://startoswebui/, they may not have trusted their certificate yet and https://startoswebui/login should not be requested or it could result in loud certificate warnings.
This is an issue at both the .local and the .onion
Expected Behavior
I expect all requests induced by StartOS web-UI to use the same http:// or https:// scheme as the rest of the page.
Steps to Reproduce
Anything else?
No response
The text was updated successfully, but these errors were encountered: