Bug 849076 - openshift drupal cartridge sends links to insecure css and js include files when in https mode
Summary: openshift drupal cartridge sends links to insecure css and js include files w...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: OKD
Classification: Red Hat
Component: Templates
Version: 2.x
Hardware: Unspecified
OS: Unspecified
medium
low
Target Milestone: ---
: ---
Assignee: Clayton Coleman
QA Contact: libra bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-08-17 08:57 UTC by clive darra
Modified: 2015-05-15 02:03 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-02-13 03:00:12 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description clive darra 2012-08-17 08:57:35 UTC 
Description of problem:
openshift drupal cartridge sends links to insecure include files in https mode

Version-Release number of selected component (if applicable):


How reproducible:
everytime

Steps to Reproduce:
1. build a openshift drupal vm
2. run google chrome browser
3. goto https version of site (ie https://drupal-osde8info.rhcloud.com/)
  
Actual results:
layout is badly broken because chrome is blocking insecure css and js files

<style type="text/css" media="all">@import url("http://drupal-osde8info.rhcloud.com/modules/system/system.base.css?lp434t");
@import url("http://drupal-osde8info.rhcloud.com/modules/system/system.menus.css?lp434t");
@import url("http://drupal-osde8info.rhcloud.com/modules/system/system.messages.css?lp434t");
@import url("http://drupal-osde8info.rhcloud.com/modules/system/system.theme.css?lp434t");</style>

<script type="text/javascript" src="http://drupal-osde8info.rhcloud.com/misc/jquery.js?v=1.4.4"></script>
<script type="text/javascript" src="http://drupal-osde8info.rhcloud.com/misc/jquery.once.js?v=1.2"></script>
<script type="text/javascript" src="http://drupal-osde8info.rhcloud.com/misc/drupal.js?lp434t"></script>
<script type="text/javascript">

Expected results:

https layout should be same as http layout

includes should all be prefixed with https instead of http

Additional info:

might be upstream drupal issue ?

workaround use seamonkey instead of chrome
Comment 1 Clayton Coleman 2012-08-20 01:55:47 UTC 
This could be specific to the apache config in the quickstart.  Vojtek might be a good candidate to look at this.
Comment 2 clive darra 2012-08-20 21:30:40 UTC 
comparing
http://www.alfresco.com/news/press-releases 
to 
https://www.alfresco.com/news/press-releases 

shows you what should happen when a drupal site is switched from http to https

view-source:https://www.alfresco.com/news/press-releases

<style>@import url("https://www.alfresco.com/modules/system/system.base.css?m924uy");
@import url("https://www.alfresco.com/modules/system/system.menus.css?m924uy");
@import url("https://www.alfresco.com/modules/system/system.messages.css?m924uy");
@import url("https://www.alfresco.com/modules/system/system.theme.css?m924uy");</style>
<style media="screen">@import url("https://www.alfresco.com/sites/www/modules/contrib/qtip/library/jquery.qtip.css?m924uy");
@import url("https://www.alfresco.com/sites/www/modules/contrib/qtip/css/qtip.css?m924uy");</style>
<style>@import url("https://www.alfresco.com/modules/aggregator/aggregator.css?m924uy");
@import url("https://www.alfresco.com/modules/comment/comment.css?m924uy");
@import url("https://www.alfresco.com/sites/www/modules/contrib/date/date_api/date.css?m924uy");
@import url("https://www.alfresco.com/sites/www/modules/contrib/date/date_popup/themes/datepicker.1.7.css?m924uy");
@import url("https://www.alfresco.com/modules/field/theme/field.css?m924uy");
@import url("https://www.alfresco.com/modules/node/node.css?m924uy");
Comment 3 Vojtech Vitek 2012-08-22 18:34:29 UTC 
Seems like the website uses insecure content from external sites (javascript fonts etc.) - so it's not about Apache settings.

The external links should be switched to https:// as well, if possible, or the files should be downloaded and served internally using secure connection.

From Chrome console:
> The page at https://www.alfresco.com/news/press-releases ran insecure content from http://use.typekit.com/lwe1pzs.js.
> The page at https://www.alfresco.com/news/press-releases ran insecure content from http://s7.addthis.com/js/250/addthis_widget.js.
> The page at https://www.alfresco.com/news/press-releases ran insecure content from http://use.typekit.com/lwe1pzs.js.
> The page at https://www.alfresco.com/news/press-releases ran insecure content from http://s7.addthis.com/js/250/addthis_widget.js.
> The page at https://www.alfresco.com/news/press-releases displayed insecure content from http://tags.w55c.net/rs?id=e1f1336c2994484b8581404a67ce0a0b&t=marketing.
> The page at https://www.alfresco.com/news/press-releases displayed insecure content from http://www.googleadservices.com/pagead/conversion/1033198129/?value=0&label=5QX4CN2IggMQsbTV7AM&guid=ON&script=0.
> The page at https://www.alfresco.com/news/press-releases displayed insecure content from http://ad.yieldmanager.com/pixel?adv=724740&code=0AfHwCAxgc&t=2.
> The page at https://www.alfresco.com/news/press-releases displayed insecure content from http://googleads.g.doubleclick.net/pagead/viewthroughconversion/1033198129/?value=0&label=5QX4CN2IggMQsbTV7AM&guid=ON&script=0&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false.
Comment 4 Vojtech Vitek 2012-08-23 22:25:16 UTC 
Re-assigning to Clayton, as I can't help here.

Imho, this issue is not related to the Drupal Cartridge but to the front-end of the Drupal site (js files and/or alfrescodotcom theme).
Comment 5 clive darra 2012-08-24 08:48:38 UTC 
sorry it looks like i've added some confusion here by mentioning a third party drupal site that does work

i am not worried at all about external links only openshift drupal internal links that are not secure

perhaps this makes it clearer

openshift drupal apps in https mode generate

<style type="text/css" media="all">
@import url("http://drupal-osde8info.rhcloud.com/modules/system/system.base.css?lp434t");
@import url("http://drupal-osde8info.rhcloud.com/modules/system/system.menus.css?lp434t");
@import url("http://drupal-osde8info.rhcloud.com/modules/system/system.messages.css?lp434t");
@import url("http://drupal-osde8info.rhcloud.com/modules/system/system.theme.css?lp434t");</style>

<script type="text/javascript" src="http://drupal-osde8info.rhcloud.com/misc/jquery.js?v=1.4.4"></script>
<script type="text/javascript" src="http://drupal-osde8info.rhcloud.com/misc/jquery.once.js?v=1.2"></script>
<script type="text/javascript" src="http://drupal-osde8info.rhcloud.com/misc/drupal.js?lp434t"></script>
<script type="text/javascript">

where they should generate 

<style type="text/css" media="all">
@import url("https://drupal-osde8info.rhcloud.com/modules/system/system.base.css?lp434t");
@import url("https://drupal-osde8info.rhcloud.com/modules/system/system.menus.css?lp434t");
@import url("https://drupal-osde8info.rhcloud.com/modules/system/system.messages.css?lp434t");
@import url("https://drupal-osde8info.rhcloud.com/modules/system/system.theme.css?lp434t");</style>

<script type="text/javascript" src="https://drupal-osde8info.rhcloud.com/misc/jquery.js?v=1.4.4"></script>
<script type="text/javascript" src="https://drupal-osde8info.rhcloud.com/misc/jquery.once.js?v=1.2"></script>
<script type="text/javascript" src="https://drupal-osde8info.rhcloud.com/misc/drupal.js?lp434t"></script>
<script type="text/javascript">

ps openshift wordpress apps work correctly
Comment 6 Clayton Coleman 2013-02-13 03:00:12 UTC 
This is an upstream problem and is out of our hands.  Should be opened against Drupal core.
Note You need to log in before you can comment on or make changes to this bug.