Comments (7)
rymai
commented on June 15, 2024
Hi,
So, for instance, if I'll add a rule to :only array that matches my ajax request url, it will work if current page is served via https and will fail via http.
Let's take a concrete example:
config.middleware.use Rack::SslEnforcer, :only => ['/ajax']You say that GET https://yourdomain.com/ajax would succeed and GET http://yourdomain.com/ajax would fail, is that correct? If yes, I don't understand why, it should just redirect the second GET to HTTPS, no?
Regarding your proposal for a :skip option, could you give concrete examples because I have big trouble understanding the use cases for which it could be useful!
Thanks!
from rack-ssl-enforcer.
blelump
commented on June 15, 2024
Let's take a concrete example:
config.middleware.use Rack::SslEnforcer, :only => ['/ajax']You say that GET https://yourdomain.com/ajax would succeed and GET http://yourdomain.com/ajax would fail, >is that correct? If yes, I don't understand why, it should just redirect the second GET to HTTPS, no?
Yep, it will redirect, but since it's ajax req, it violates the same origin policy, as suggested here: #31 (comment) . A real example might be useful: assume that you have a button called "feedback" sticked to the right border of browser. When an user clicks on such button, new dialog will appear. Besides that, content of that dialog loaded dynamically (response of previously called feedback request). Now, if you want to send a feedback from within login page (https) and your config looks like :only => ['/login'], :strict => true, it will fail because of redirection (same origin policy violation).
So my idea was to add additional :skip option, where I could provide a list of regexp's to match. If any matches, then such url is not even considered within SSL enforcer lib. It is just skipped, so if current context is https, it calls ajax req as https and same for http. I know a workaround might be to disable :strict => true, but then I even do not need SSL Enforcer since it can be done with an additional filter within base controller. What do you think about it? Is it slightly more clear now?
from rack-ssl-enforcer.
rymai
commented on June 15, 2024
Thanks for the clarification.
Imagine you POST your feedback on /feedback, can't you just use the following configuration:
config.middleware.use Rack::SslEnforcer, :only => ['/login', '/feedback'], :strict => trueso there won't be a redirect when you POST your feedback in AJAX?
from rack-ssl-enforcer.
blelump
commented on June 15, 2024
That would work, but what with http? Assume that I log in sucessfully and then got redirected to dashboard panel which is served via http. Now, I want to send a feedback, but request will redirect to https and again same policy violation. Feedback button is accessible on every page.
from rack-ssl-enforcer.
mixellent
commented on June 15, 2024
+1 (@blelump)
from rack-ssl-enforcer.
rymai
commented on June 15, 2024
Hi guys,
There's actually already a solution for that: the :ignore option. Also, you can take a look at #39 for additional info.
@blelump do you confirm it solves your use case?
from rack-ssl-enforcer.
tobmatth
commented on June 15, 2024
I'm closing here. Feel free to reopen...
from rack-ssl-enforcer.
Related Issues (20)
- Forcing HTTPS only on certain paths or methods might be a security problem
- Load balancer health check redirected; not making it to the app HOT 5
- Middleware use vs. insert_before HOT 1
- Does rack-ssl-enforcer have support for ssl client verification? HOT 1
- Increase the default HSTS max-age to 2 years
- Running code before redirect not working HOT 3
- Support for ruby 2.0 and Rails 4 HOT 2
- Release new version! <3 HOT 2
- Already encoded url parameters get encoded again when redirecting
- How to handle URI::InvalidURIError? HOT 7
- POST requests HOT 5
- Issue with IE only... strict true not working HOT 3
- Issue with Redirects HOT 3
- Infinite redirects behind AWS ELB HOT 5
- ERR_CONNECTION_REFUSED HOT 2
- use_redirect always forcing redirect, even for HTTPS HOT 2
- HSTS and secure cookies w/o redirect? HOT 2
- Does not set session cookie as secure HOT 6
- HSTS Implementation HOT 1
- Is there a changelog? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rack-ssl-enforcer.