Uploaded image for project: 'Nuxeo Drive '
  1. Nuxeo Drive
  2. NXDRIVE-1917

Support HTTPS only (**breaking change**)



    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 1.3.0611, 4.1.3
    • Fix Version/s: Not yet scheduled version
    • Component/s: Framework
    • Sprint:
      nxDrive 11.2.7
    • Story Points:


      Current Situation

      Drive has always worked with both HTTP and HTTPS, but HTTP is a serious security flow as everything transits in clear (especially tokens ... ).

      A workaround has been added with NXDRIVE-1647, and it is effectively a bad decision as:

      • it will change the server URL without asking the user
      • it introduces such errors

      So the proposition is to make Drive work with HTTPS only, as it is already the case with the mobile application.

      This is a breaking change as it will force users to have a HTTPS server, but on production, this must already be the case.


      • It will enforce the idea the Drive is secure to use.
      • It will help catch bad server deployment, forcing sysadmins to do the right things to only allow HTTPS and stop using bad HTTP -> HTTPS redirections for instance.


      Work to implement:

      1. When one enters a server URL, print a red error if it is not HTTPS.
      2. Rename Engine._check_https() to _check_http() and log a warning if the server is actually available on HTTP. It will hopefully annoy enough people to ask their sysadmin to fix that
      3. For developers and users who still want to use an insecure URL, a new option will be added: allowlist_http. This list wil contain by default:, localhost and 192.168.*.
        In the code, the QML element checking for the server URL will be expanded to use the list: either the server starts with HTTP and is one of the allowed entries, either it starts HTTPS. The original regexp should be expanded to tell it to understand that.
        It consists of IPs and domain names. Originally, it was only an IPs list, but it will be unusable because Drive cannot know in advance the server IP and some servers wil have changing IPs. So to ease the implementation, we go with IPs and domain names as they would be entered by the user.
      4. The new option must be documented here and then here (after the next release).


          Issue Links



              • Votes:
                0 Vote for this issue
                2 Start watching this issue


                • Created: