Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Debugging considerations #87

Closed
netbymatt opened this issue Dec 15, 2022 · 2 comments
Closed

Debugging considerations #87

netbymatt opened this issue Dec 15, 2022 · 2 comments
Labels
enhancement

Comments

@netbymatt
Copy link
Contributor

Background: I'm running on Linux, not Windows, and have written a very, very ugly script that mimics your /CORS C# code, minus any domain and referrer checks. It's not for production, it's for debugging locally.

Once it was up and running I ran into a few problems with URLs. Linux is case sensitive when it comes to file names and Windows is not. This became a problem with the following:

  • The web page makes requests to /images for all the images, but the folder name is Images (capital I at the beginning)
  • The same for /fonts vs. folder name /Fonts

It's an extra replace step in my script to work around that. It can be fixed by renaming the folders or modifying the scripts in several places. But I don't want to create a pull request for it because it's a lot of diff noise. I'll let you consider it.

The second problem that I came across relates to calls to geocode.arcgis.com. All three calls to it use location.protocol to make the url to call the api match the web browser's http or https address. Unfortunately when debugging locally (http) a call to http://gecode.arcgis.com returns 400 and does not redirect to https which means the geocoding fails.

This is where it gets very nuanced and messy. Quick way to recreate is open an incognito window and go directly to http://localhost:8000 (or your locally served dev address). You'll see the failure. But in a normal, non-incognito window the geocode api works. It turns out that https://geocode.arcgis.com sets HSTS, which instructs the browser to always upgrade http to https regardless of what was asked for. And this setting is sticky across all web sites until it expires, which in practice is 1+ years.

Now, go back to your incognito window, manually enter a url at https://geocode.arcgis.com, then refresh the ws4kp page and enter a location. The geocode works!

I can't see any downside to just hard coding these as https. It will always be equally or more secure than the page you're calling it from, so the web browser won't ever flag it as a security downgrade and kill the request.

Again, I'll let you consider this as well. Maybe there's a specific situation that you've seen that I haven't come across yet.
@vbguyny
Copy link
Owner

vbguyny commented Dec 15, 2022

I have run across that issue with geocode in Windows as well. I didn't understand why it happened but that makes sense.

As for the filenames I can make them all lowercase. This is a bit cumbersome as you know.

I'll see when I can get to it 🙂

@vbguyny
Copy link
Owner

vbguyny commented May 23, 2024

The script a while back was changed from http: to use instead location.protocol
This has resolved the issue as https is used by default for the live site and http when debugging locally.

@vbguyny vbguyny closed this as completed May 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vbguyny @netbymatt