Bug #1573: Rails 3: check HTTPS links always used at application boundaries

Comments

1. Greg Hurrell 2010-06-15T11:13:35Z

   For things like feeds with an explicit call to a _url helper, we can do stuff like:

    entry.content :src => post_url(post, :protocol => 'https')

   But there are places where the URL is implicit such as:

   for post in @posts
     feed.entry post do |entry|
       ...

   There feed.entry builds up info based on the passed-in post instance, and if the user is accessing over HTTP, the generated link will begin with the "http" schema.

   In that case would need to pass in an explicit :url option:

   for post in @posts
     feed.entry(post, :url => post_url(post, :protocol => 'https')
       ...

2. Greg Hurrell 2010-06-15T11:17:59Z

   And in that same example, I can see the top-level of the feed will need to change as well.

3. Greg Hurrell 2010-06-15T11:28:39Z

   Actually, I think I am over-thinking this (again).

   When the server is properly configured (ie. with nginx on the front end accepting all requests, forwarding only HTTPS requests to the Rails app, and the firewall preventing any direct non-localhost connections to the the application server) no non-HTTPS requests will ever hit the app. All requests will have HTTP_X_FORWARDED_PROTO set to https, and Rails will pick that up when generating URLs.

   Test requests will come from localhost, so might produce non-HTTPS links, but test requests should never hit the live app server running in production mode, so no bad links should ever be cached.

4. Greg Hurrell 2010-07-16T16:48:03Z

   Status changed:

   • From: new
   • To: closed

Add a comment

Comments are now closed for this issue.