Project

General

Profile

Task #2312

Avoid serving web content over http:// when possible

Added by Guilhem Moulin 6 months ago. Updated 3 months ago.

Status:
New
Priority:
Normal
Category:
Webserver
Target version:
Team - Q4/2017
Start date:
Due date:
% Done:

0%

Estimated time:
Tags:
URL:

Description

Ideally all http:// requests would be permanently redirected to their https:// counterpart. It's mostly the case already (using X.509 certs from Let's Encrypt), but the TDF and LO websites are still serving pages over http://. (There is an HTTPS Everywhere rule for both, but we still want 301 redirects on our HTTPd.)

Moreover we should track down pages that are still referencing http:// URIs (for instance the imprint or the logo, respectively with an <a> and <img> tag) and upgrade them to https://.

In some cases it makes sense not deploy that redirect, though:

Related issues

Related to Infrastructure - Task #2340: LibreOffice download page - please change torrent file to be downloaded using https instead of current http linkNew

Related to Infrastructure - Task #1987: Please use HTTPS for downloads to protect usersIn Progress

History

#1 Updated by Guilhem Moulin 5 months ago

  • Related to Task #2340: LibreOffice download page - please change torrent file to be downloaded using https instead of current http link added

#2 Updated by Olivier Hallot 4 months ago

Hi

I grep'ed the source code sfx2 module and FWIW, here is the result WRT to hub.libreoffice.org. I think nothing is to change

tdf@olivier-ntbk:~/git/core/sfx2/source$ git grep hub
appl/appserv.cxx: OUString sURL("https://hub.libreoffice.org/send-feedback/?LOversion=" + utl::ConfigManager::getAboutBoxProductVersion() +
appl/appserv.cxx: OUString sURL("https://hub.libreoffice.org/forum/?LOlang=" + aLang);
appl/appserv.cxx: OUString sURL("https://hub.libreoffice.org/documentation/?LOlocale=" + utl::ConfigManager::getLocale());
appl/appserv.cxx: OUString sURL("https://hub.libreoffice.org/donation/?BCP47=" + aBcp47 + "&LOlang=" + aLang );

#3 Updated by Krasnaya Ploshchad’ . 4 months ago

To avoid this, I have installed Smart HTTPS add-on in my browser, then I enabled “Add Upgrade-Insecure-Requests header to ALL websites with HTTPS protocol” option. All requests would be forced using HTTPS firstly.
https://mybrowseraddon.com/smart-https.html

#4 Updated by Florian Effenberger 3 months ago

  • Target version changed from Q3/2017 to Q4/2017

Given the other pending tasks for Q3 (e.g. further SSO deployments), and that this is a longer tasks, shifting to Q4
Olivier, if there are pages that are important for you specifically wrt. SEO, please let us know, and Guilhem can look if those can be prioritized

#5 Updated by Krasnaya Ploshchad’ . 3 months ago

Maybe we can also making certain links hardcoded in this way:

<a href="//example.com#contents">see contents</a>

#6 Updated by Guilhem Moulin 27 days ago

  • Related to Task #1987: Please use HTTPS for downloads to protect users added

Also available in: Atom PDF