Re: CSS and HTTPS problem ...
Many thanks Rob, i'll consider that .. will give it a try and feedback whenever possible You'd have to change the CSS to also reference the images, etc. over https. The warning you describe will be triggered whenever you have an HTML page, delivered over https, that calls images, CSS, or javascript from another source, delivered over http. This isn't a Restlet thing ... it applies to any SSL Web server. However, one neat Restlet thing that does help, is the Redirector feature. This is a bit advanced, but you can use the Redirector on your local web service to proxy these requests to the other server; this can be used to avoid such warnings and single-source issues, at the expense of some overhead in your web service and a responsibility to manage the security appropriately. - Rob -- View this message in context: http://n2.nabble.com/CSS-and-HTTPS-problem-...-tp2544622p2604784.html Sent from the Restlet Discuss mailing list archive at Nabble.com. -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=1595403
Re: CSS and HTTPS problem ...
Hi, Rob Heittman wrote: > You'd have to change the CSS to also reference the images, etc. over > https. The warning you describe will be triggered whenever you have an > HTML page, delivered over https, that calls images, CSS, or javascript > from another source, delivered over http. This isn't a Restlet thing > ... it applies to any SSL Web server. Yes, I agree. Although it's possible to turn off this warning in Firefox I'd suggest to keep it on. In terms of site design, it's bad practice to mix HTTPS and plain HTTP content. I've recently found a security issue with a service we use (I believe the vendor is investigating the matter). Access to the whole site was supposed to be secure because it was served over HTTPS. However, one of the web pages was loading a JavaScript document, which was linking another JavaScript document, this time in plain HTTP. (Surprisingly enough, this second link was a plain HTTP URL only if "Mac" was in the user-agent header!) Even if this last request failed with a 404 status code (the document being actually only served over HTTPS), the request was made over plain HTTP and contained the authenticated session cookie. Therefore, someone intercepting that request would be able to hijack the session. I haven't looked at how IE behaves with mixed content, but the downside of Firefox warnings is that they are just warnings (you can't cancel the request: you can only realise it's too late). > However, one neat Restlet thing that does help, is the Redirector > feature. This is a bit advanced, but you can use the Redirector on your > local web service to proxy these requests to the other server; this can > be used to avoid such warnings and single-source issues, at the expense > of some overhead in your web service and a responsibility to manage the > security appropriately. +1 Best wishes, Bruno. -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=1499674
Re: CSS and HTTPS problem ...
You'd have to change the CSS to also reference the images, etc. over https. The warning you describe will be triggered whenever you have an HTML page, delivered over https, that calls images, CSS, or javascript from another source, delivered over http. This isn't a Restlet thing ... it applies to any SSL Web server. However, one neat Restlet thing that does help, is the Redirector feature. This is a bit advanced, but you can use the Redirector on your local web service to proxy these requests to the other server; this can be used to avoid such warnings and single-source issues, at the expense of some overhead in your web service and a responsibility to manage the security appropriately. - Rob On Tue, Mar 31, 2009 at 5:34 AM, Mohamed Abdel-Aziz Bayoumi < mohamed@gmail.com> wrote: > Hi Rob, > > Thanx for the fast reply ... As it told you Rob i'm using absolute links to > images or css (since these are not hosted on my server) like the following > CSS snippet (the background property) >thead th,tbody th >{ > background : #FFF url( > http://muffinresearch.co.uk/code/xhtmlandcss/tableshow/th_bck.gif) > repeat-x; > color: white; > padding : 5px 10px; > border-left : 1px solid #CCC; > } > another important note: i've switched to HTTP instead of HTTPS just to test > and the style was displayed perfectly (no broken images or missing css > files) both locally and remotely (i didn't change anything in code) which > makes me 100% that the problem is mainly considered with HTTPS connection as > i told you before ... > > Thank you > > > Hard to diagnose without seeing the HTML source ... but is it possible your > HTML is constructed with an absolute URL (starting with http://) in the > CSS > tag? Any snippets of the HTML you can share, or a link to a > page if it's public? > > On Fri, Mar 27, 2009 at 10:46 AM, Mohamed Abdel-Aziz Bayoumi < > mohamed@gmail.com> wrote: > > > It's been a long time since i posted here ... hope u r all fine n well .. > > Now my problem. I've planned to add some style to one of my restlet > (which > > is actually a TEXT_HTML MediaType repreaentation) so i made an external > > stylesheet n saved my .css file and linked it to my html restlet and > began > > to test n here u r what i found (note: i'm running the whole application > via > > secured HTTPS): > > > > ------ > > http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=1445199 > > > -- > View this message in context: > http://n2.nabble.com/CSS-and-HTTPS-problem-...-tp2544622p2562022.html > Sent from the Restlet Discuss mailing list archive at Nabble.com. > > -- > > http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=1493998 > -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=1498463
Re: CSS and HTTPS problem ...
Hi Rob, Thanx for the fast reply ... As it told you Rob i'm using absolute links to images or css (since these are not hosted on my server) like the following CSS snippet (the background property) thead th,tbody th { background : #FFF url(http://muffinresearch.co.uk/code/xhtmlandcss/tableshow/th_bck.gif) repeat-x; color: white; padding : 5px 10px; border-left : 1px solid #CCC; } another important note: i've switched to HTTP instead of HTTPS just to test and the style was displayed perfectly (no broken images or missing css files) both locally and remotely (i didn't change anything in code) which makes me 100% that the problem is mainly considered with HTTPS connection as i told you before ... Thank you Hard to diagnose without seeing the HTML source ... but is it possible your HTML is constructed with an absolute URL (starting with http://) in the CSS tag? Any snippets of the HTML you can share, or a link to a page if it's public? On Fri, Mar 27, 2009 at 10:46 AM, Mohamed Abdel-Aziz Bayoumi < mohamed@gmail.com> wrote: > It's been a long time since i posted here ... hope u r all fine n well .. > Now my problem. I've planned to add some style to one of my restlet (which > is actually a TEXT_HTML MediaType repreaentation) so i made an external > stylesheet n saved my .css file and linked it to my html restlet and began > to test n here u r what i found (note: i'm running the whole application via > secured HTTPS): > -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=1445199 -- View this message in context: http://n2.nabble.com/CSS-and-HTTPS-problem-...-tp2544622p2562022.html Sent from the Restlet Discuss mailing list archive at Nabble.com. -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=1493998
Re: CSS and HTTPS problem ...
To add to Rob's hunch -- My guess is that you are using a relative URL to access the CSS, and that you don't have a trailing slash after your base URL. For example, your base URL might be: http://localhost:8080/myapplication/main While your CSS link would be: So the browser would be looking for: http://localhost:8080/myapplication/mainmy.css You need to use a trailing slash on the base URL! This is something that can happen in Restlet but not in most Apache configurations, because Restlet is forgiving about the trailing slash. -Tal On Fri, Mar 27, 2009 at 10:46 AM, Mohamed Abdel-Aziz Bayoumiwrote: It's been a long time since i posted here ... hope u r all fine n well .. Now my problem. I've planned to add some style to one of my restlet (which is actually a TEXT_HTML MediaType repreaentation) so i made an external stylesheet n saved my .css file and linked it to my html restlet and began to test n here u r what i found (note: i'm running the whole application via secured HTTPS):
Re: CSS and HTTPS problem ...
Hard to diagnose without seeing the HTML source ... but is it possible your HTML is constructed with an absolute URL (starting with http://) in the CSS tag? Any snippets of the HTML you can share, or a link to a page if it's public? On Fri, Mar 27, 2009 at 10:46 AM, Mohamed Abdel-Aziz Bayoumi < mohamed@gmail.com> wrote: > It's been a long time since i posted here ... hope u r all fine n well .. > Now my problem. I've planned to add some style to one of my restlet (which > is actually a TEXT_HTML MediaType repreaentation) so i made an external > stylesheet n saved my .css file and linked it to my html restlet and began > to test n here u r what i found (note: i'm running the whole application via > secured HTTPS): > -- http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=1445199
CSS and HTTPS problem ...
Hi All, It's been a long time since i posted here ... hope u r all fine n well .. Now my problem. I've planned to add some style to one of my restlet (which is actually a TEXT_HTML MediaType repreaentation) so i made an external stylesheet n saved my .css file and linked it to my html restlet and began to test n here u r what i found (note: i'm running the whole application via secured HTTPS): 1- Running on microsoft windows: Everything went okay, style file was loaded okay and applied to my html successfully, images were loaded and everything went fine for me (accessed the restlet via all available browsers IE, FF, and Chrome). 2- Hosting the restlet on a server running windows Worked also like charm but on the server .. and when trying to access the remotely from my local machine style doesn't show with IE telling me "this webpage contains content that will not be delivered using a secure HTTPS connection. which could compromise the security of the entire webpage" .. tried also from FF and Chrome without hope of seen my style applied. 3- Running on openSUSE 10.3: External styles are never applied and the page displays without any style (as if the .css wasn't seen eventhough i'm giving the absolute path to the file on my local machine) so i copied the styles inside my html restlet in