Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use https://<cdn>/ rather than //<cdn>/ for security? #609

Closed
hartwork opened this issue May 18, 2020 · 4 comments · Fixed by #611
Closed

Use https://<cdn>/ rather than //<cdn>/ for security? #609

hartwork opened this issue May 18, 2020 · 4 comments · Fixed by #611
Assignees
@hartwork
Labels
enhancement

Comments

@hartwork
Copy link
Contributor

Hi!

I noticed that there are a few places in here where CDNs are referecing using //<cdn>/ rather than https://<cdn>/. To my understanding that makes requests go through HTTP rather than HTTPS without any gains. Am I missing something? Would you welcome a patch?

# git grep -h "['\"]//" | sort -u
        assert f'//cdnjs.cloudflare.com/ajax/libs/select2/{settings.SELECT2_LIB_VERSION}/css/select2.min.css' in result
        assert f'//cdnjs.cloudflare.com/ajax/libs/select2/{settings.SELECT2_LIB_VERSION}/js/select2.min.js' in result
    CSS = '//cdnjs.cloudflare.com/ajax/libs/select2/{version}/css/select2.min.css'.format(version=LIB_VERSION)
            error = driver.find_element_by_xpath('//body[@JSError]')
            f'//cdnjs.cloudflare.com/ajax/libs/select2/{settings.SELECT2_LIB_VERSION}/js/i18n/de.js',
            f'//cdnjs.cloudflare.com/ajax/libs/select2/{settings.SELECT2_LIB_VERSION}/js/i18n/en.js',
            f'//cdnjs.cloudflare.com/ajax/libs/select2/{settings.SELECT2_LIB_VERSION}/js/i18n/sr-Cyrl.js',
            f'//cdnjs.cloudflare.com/ajax/libs/select2/{settings.SELECT2_LIB_VERSION}/js/i18n/zh-CN.js',
            f'//cdnjs.cloudflare.com/ajax/libs/select2/{settings.SELECT2_LIB_VERSION}/js/i18n/zh-TW.js',
            f'//cdnjs.cloudflare.com/ajax/libs/select2/{settings.SELECT2_LIB_VERSION}/js/select2.min.js',
    I18N_PATH = '//cdnjs.cloudflare.com/ajax/libs/select2/{version}/js/i18n'.format(version=LIB_VERSION)
    JS = '//cdnjs.cloudflare.com/ajax/libs/select2/{version}/js/select2.min.js'.format(version=LIB_VERSION)
<script src="//code.jquery.com/jquery-2.1.4.min.js"></script>
@hartwork hartwork added the bug label May 18, 2020
@codingjoe
Copy link
Collaborator

Hi @hartwork,

// will cause the browser to use the same scheme used by the parent page. If that is served via HTTPS, so will the asset. You can alter that behavior if you override base in your HTML head.

Anyhow, I don't see a big problem since one should server their Django site only via HTTPS and in development you always service over HTTP never file:// with runserver.

With all that being said, I will not reject a patch adding an explicit protocol. I'd welcome it :)

Best,
Joe

@codingjoe codingjoe added enhancement and removed bug labels May 22, 2020
@codingjoe codingjoe assigned hartwork and unassigned codingjoe May 22, 2020
@hartwork
Copy link
Contributor Author

I'm happy to create a pull request once my other pull requests #607 #608 #610 have been reviewed 🍻

@codingjoe
Copy link
Collaborator

codingjoe commented May 23, 2020
edited
Loading

I'm happy to create a pull request once my other pull requests #607 #608 #610 have been reviewed 🍻

So, no pressure you say? 😉

hartwork added a commit to hartwork/django-select2 that referenced this issue May 23, 2020
@hartwork
Enfore https:// for CDN URLs (fixes applegrew#609)
4e261d8
@hartwork hartwork mentioned this issue May 23, 2020
Merged
@hartwork
Copy link
Contributor Author

Here you go: #611

hartwork added a commit to hartwork/django-select2 that referenced this issue May 23, 2020
@hartwork
Enforce https:// for CDN URLs (fixes applegrew#609)
fe801e0
codingjoe pushed a commit that referenced this issue May 23, 2020
@hartwork @codingjoe
Enforce https:// for CDN URLs (fixes #609)
ed0578d
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hartwork hartwork

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Enforce https:// for CDN URLs (fixes #609) hartwork/django-select2
2 participants
@hartwork @codingjoe