Christopher, No need to worry - thanks for clarifying!
Just to close the loop on this, did you contact the HTrace team? Each podling has their own means for contact. HTrace's can be found on http://htrace.incubator.apache.org/mail-lists.html and I would recommend their "Developer List" to let them know. John On Sat, Jan 14, 2017 at 2:31 PM Christopher <ctubb...@apache.org> wrote: > Sorry if I caused confusion. I'm not requesting assistance... I'm just > trying to make the community aware of the issue, and suggesting fixes. The > HTrace page was just one example that didn't work on https. > > On Sat, Jan 14, 2017 at 7:59 AM John D. Ament <johndam...@apache.org> > wrote: > > > I guess this is my confusion as well (hence my prior response). it > sounded > > like from a technical standpoint he wasn't sure how to make it protocol > > agnostic. > > > > RE HTTPS everywhere. The only place that doesn't support HTTPS are the > > staging URLs via CMS. Other than that, all other resources support > HTTPS. > > > > John > > > > On Sat, Jan 14, 2017 at 4:02 AM Evan Hughes <wisebald...@apache.org> > > wrote: > > > > > I see no technical reason why these external libraries cant be included > > > with https instead of http. I would rather see https:// instead of // > as > > > // > > > can cause conflict when serving from a local file system as it'll > assume > > > file://. > > > > > > Though I'm not sure what your proposing Christopher other than a issue > > that > > > needs to be added to htrace's jira page. > > > > > > ~ Evan > > > > > > On Sat, 14 Jan 2017 at 16:14 Christopher <ctubb...@apache.org> wrote: > > > > > > > While I personally would prefer ASF switch everything over to HTTPS > > only, > > > > the main concern here is that projects may only be testing their > sites > > > with > > > > HTTP, and they may not realize that their site breaks for visitors > > using > > > > HTTPS. Using "https://", or simply "//", instead of "http://" for > > > > javascript/css/other resources is a quick fix for most project sites. > > > That > > > > should get things working, regardless of whether their visitors are > > > > visiting the project site with HTTP or HTTPS. > > > > > > > > On Sat, Jan 14, 2017 at 12:42 AM Henri Yandell <bay...@apache.org> > > > wrote: > > > > > > > > > We're not doing SSL-everywhere afaict; so seems that we would want > to > > > > keep > > > > > the HTTP option when in HTTP. > > > > > > > > > > Would love to see Infra providing a 'how many hardcoded http/https' > > > > report > > > > > for each subdomain :) > > > > > > > > > > Hen > > > > > > > > > > On Fri, Jan 13, 2017 at 5:18 PM, Christopher <ctubb...@apache.org> > > > > wrote: > > > > > > > > > > > In most cases, the project developers should just make sure their > > > > > > JavaScript and CSS resources in their page point to an HTTPS > > version. > > > > > They > > > > > > don't actually need to point to the HTTP location. > > > > > > > > > > > > On Fri, Jan 13, 2017, 20:06 Martin Gainty <mgai...@hotmail.com> > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > ________________________________ > > > > > > > From: Christopher <ctubb...@apache.org> > > > > > > > Sent: Friday, January 13, 2017 1:17 PM > > > > > > > To: general@incubator.apache.org > > > > > > > Subject: Re: HTTPS project sites > > > > > > > > > > > > > > No, I did not. This issue has nothing to do with same origin > > policy > > > > > > (which > > > > > > > most users should never try to disable). It's about mixed > > content. > > > > > > > Accessing a site via https can give a false sense of security > if > > > the > > > > > site > > > > > > > itself depends on non-https content. > > > > > > > > > > > > > > In the past, many browsers would just show a mixed-content > > warning, > > > > > which > > > > > > > most users would probably ignore. Chrome's latest behavior > (and I > > > > > expect > > > > > > > other browsers will follow eventually) tries to give a better > > > > indicator > > > > > > of > > > > > > > the degree of security a site has by not loading mixed-content > by > > > > > > default, > > > > > > > and when the mixed-content is loaded, the page is explicitly > > marked > > > > > "Not > > > > > > > Secure". > > > > > > > > > > > > > > The end result is that project websites may not be presented to > > > their > > > > > > users > > > > > > > in the way the developers intended. > > > > > > > > > > > > > > MG> > > > > > > > http://stackoverflow.com/questions/18327314/how-to- > > > > > > allow-http-content-within-an-iframe-on-a-https-site > > > > > > > > > > > > > > MG>he mentions various strategies..twiddling http headers to > > https, > > > > > > > screen-scraping mixed-content to aggregate on secure site and > > > proxies > > > > > > > MG> as far as proxies he mentions ngrok< > https://ngrok.com/usage> > > > and > > > > > > > mitmproxy<http://mitmproxy.org/>..my personal preference is > > Squid > > > > > > > [ > > > > > > > https://cdn.sstatic.net/Sites/stackoverflow/img/apple-touch- > > > > > > i...@2.png?v=73d79a89bded > > > > > > > ]< > > > > > > > http://stackoverflow.com/questions/18327314/how-to- > > > > > > allow-http-content-within-an-iframe-on-a-https-site > > > > > > > > > > > > > > > > > > > > > > html - How to allow http content within an iframe on a ...< > > > > > > > http://stackoverflow.com/questions/18327314/how-to- > > > > > > allow-http-content-within-an-iframe-on-a-https-site > > > > > > > > > > > > > > > stackoverflow.com > > > > > > > I load some HTML into an iframe but when a file referenced is > > using > > > > > http, > > > > > > > not https, I get the following error: [blocked] The page at > > > > > > > {current_pagename} ran insecure ... > > > > > > > > > > > > > > > > > > > > > > > > > > > > MG>HTH > > > > > > > MG>Martin- > > > > > > > On Fri, Jan 13, 2017 at 12:54 PM Martin Gainty < > > > mgai...@hotmail.com> > > > > > > > wrote: > > > > > > > > > > > > > > > Hi Christopher > > > > > > > > > > > > > > > > > > > > > > > > did you try disabling default x-domain block for XHR request > > > > > > originating > > > > > > > > from Chrome? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://joshuamcginnis.com/2011/02/28/how-to-disable- > > > > > > same-origin-policy-in-chrome/ > > > > > > > How to: Disable Same-Origin Policy in Chrome | Josh McGinnis< > > > > > > > https://joshuamcginnis.com/2011/02/28/how-to-disable- > > > > > > same-origin-policy-in-chrome/ > > > > > > > > > > > > > > > joshuamcginnis.com > > > > > > > How to enable cross-domain ajax requests in Chrome for > > development > > > by > > > > > > > disabling the same-origin policy. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > How to: Disable Same-Origin Policy in Chrome | Josh McGinnis< > > > > > > > > > > > > > > > https://joshuamcginnis.com/2011/02/28/how-to-disable- > > > > > > same-origin-policy-in-chrome/ > > > > > > > How to: Disable Same-Origin Policy in Chrome | Josh McGinnis< > > > > > > > https://joshuamcginnis.com/2011/02/28/how-to-disable- > > > > > > same-origin-policy-in-chrome/ > > > > > > > > > > > > > > > joshuamcginnis.com > > > > > > > How to enable cross-domain ajax requests in Chrome for > > development > > > by > > > > > > > disabling the same-origin policy. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > joshuamcginnis.com > > > > > > > > How to enable cross-domain ajax requests in Chrome for > > > development > > > > by > > > > > > > > disabling the same-origin policy. > > > > > > > > > > > > > > > > > > > > > > > > ? > > > > > > > > > > > > > > > > Martin > > > > > > > > ______________________________________________ > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ________________________________ > > > > > > > > From: Christopher <ctubb...@apache.org> > > > > > > > > Sent: Friday, January 13, 2017 12:34 PM > > > > > > > > To: general@incubator.apache.org > > > > > > > > Subject: HTTPS project sites > > > > > > > > > > > > > > > > Hi incubating projects, > > > > > > > > > > > > > > > > I noticed today that at least one incubating web site won't > > load > > > > > > properly > > > > > > > > in the latest version of Chrome with the default settings > using > > > > > HTTPS ( > > > > > > > > https://htrace.incubator.apache.org/). > > > > > > > Apache HTrace – About<https://htrace.incubator.apache.org/> > > > > > > > htrace.incubator.apache.org > > > > > > > Apache HTrace is an Apache Incubator project providing an open > > > source > > > > > > > framework for distributed tracing. It can be used with both > > > > standalone > > > > > > > applications and libraries. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Apache HTrace - About<https://htrace.incubator.apache.org/> > > > > > > > Apache HTrace – About<https://htrace.incubator.apache.org/> > > > > > > > htrace.incubator.apache.org > > > > > > > Apache HTrace is an Apache Incubator project providing an open > > > source > > > > > > > framework for distributed tracing. It can be used with both > > > > standalone > > > > > > > applications and libraries. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > htrace.incubator.apache.org > > > > > > > > Apache HTrace is an Apache Incubator project providing an > open > > > > source > > > > > > > > framework for distributed tracing. It can be used with both > > > > > standalone > > > > > > > > applications and libraries. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > This appears to be caused by Chrome being a bit aggressive > > about > > > > not > > > > > > > > loading scripts from HTTP sources when the page itself is > > loaded > > > > with > > > > > > > > HTTPS. > > > > > > > > > > > > > > > > Projects may wish to check their sites to ensure that their > > > > > > > javascript/css > > > > > > > > resources are loading correctly when using HTTPS. > > > > > > > > > > > > > > > > -- > > > > > > > > Christopher > > > > > > > > > > > > > > > -- > > > > > > > Christopher > > > > > > > > > > > > > > > > > > > > > > -- > > > > Christopher > > > > > > > > > > -- > Christopher >