Uploaded image for project: 'Nuxeo Drive '
  1. Nuxeo Drive
  2. NXDRIVE-1917

Support HTTPS only (**breaking change**)

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 1.3.0611, 4.1.3
    • Fix Version/s: 4.4.7
    • Component/s: Framework

      Description

      Current Situation

      Drive has always worked with both HTTP and HTTPS, but HTTP is a serious security flow as everything transits in clear (especially tokens ... ).

      A workaround has been added with NXDRIVE-1647, and it is effectively a bad decision as:

      • it will change the server URL without asking the user
      • it introduces such errors

      So the proposition is to make Drive work with HTTPS only, as it is already the case with the mobile application.

      This is a breaking change as it will force users to have a HTTPS server, but on production, this must already be the case.

      Pros:

      • It will enforce the idea the Drive is secure to use.
      • It will help catch bad server deployment, forcing sysadmins to do the right things to only allow HTTPS and stop using bad HTTP -> HTTPS redirections for instance.

      Scope

      Work to implement:

      • When one enters a server URL, print a red error if it is not HTTPS.
      • When automatically checking for the server URL, using the guess_server_url() function, drop HTTP stuff.
      • For developers and users who still want to use an insecure URL, a whitelist option containing domains to ignore can be used. This list wil contain, by default: localhost and 127.0.0.1.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                mschoentgen Mickaël Schoentgen
                Reporter:
                mschoentgen Mickaël Schoentgen
                Participants:
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:

                  PagerDuty

                  Error rendering 'com.pagerduty.jira-server-plugin:PagerDuty'. Please contact your Jira administrators.