Skip to content
This repository has been archived by the owner on Oct 6, 2021. It is now read-only.

Insecure links and loading #200

Open
1 task
alfalfascout opened this issue Jan 28, 2018 · 9 comments
Open
1 task

Insecure links and loading #200

alfalfascout opened this issue Jan 28, 2018 · 9 comments
Labels
config SECURITY ux

Comments

@alfalfascout
Copy link

  • Check this box if this is a security vulnerability.

Summary

Airship keeps trying to load things over http and submit forms over http even when the current page is served over https. As a result, I can't log in and I'm getting console errors.

Expected Outcome

I could log into the bridge and start doing things with my airship

What Actually Happened

bridge:11 Refused to load the stylesheet 'http://xxx.xxx.com/bridge/motif_extra.css' because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline'".

bridge:35 Mixed Content: The page at 'https://xxx.xxx.com/bridge' was loaded over a secure connection, but contains a form that targets an insecure endpoint 'http://xxx.xxx.com/bridge/login'. This endpoint should be made available over a secure connection.

bridge:1 Refused to load the stylesheet 'http://xxx.xxx.com/bridge/motif_extra.css' because it violates the following Content Security Policy directive: "style-src 'self' 'unsafe-inline'".

Submitting the form does nothing.
@paragonie-scott
Copy link
Member

That has to do with how the current Cabin is configured. Check src/Cabins/Bridge/config.json.

@alfalfascout
Copy link
Author

There is no such directory as src/Cabins/Bridge in my airship directory.
In src/Cabin/Bridge, there is no such file as config.json.

@paragonie-scott
Copy link
Member

Sorry, src/Cabins/Bridge/config/config.json.

@paragonie-scott
Copy link
Member

Actually, wrong file. Check src/config/cabins.json and look at the canon_url property.

@alfalfascout
Copy link
Author

That's very strange. The canon_url is http even tho I set https to true. It feels like that shouldn't be possible.

@paragonie-scott
Copy link
Member

It's a configuration thing. I'm working on a patch in my other window. Give me 10 or 15 minutes and it'll be fixed in dev-master.

@alfalfascout
Copy link
Author

I have updated the canon_url to be https, but I'm still getting these errors. I hope that helps you in planning your fix.

@paragonie-scott
Copy link
Member

6189af6 should fix it. It's probably caching too, but this fixes it as it's retrieved.

@alfalfascout
Copy link
Author

I'm not getting those errors anymore, but I am getting Exciting, New Errors. I'll see if I can figure them out.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
config SECURITY ux
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alfalfascout @paragonie-scott