Insecure content loaded from 'assets.ubuntu.com'

Bug #1454520 reported by Sindarina
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu Developer Portal
New
Undecided
Unassigned

Bug Description

https://developer.ubuntu.com/en/snappy/

This loads several images (PNG, SVG) from 'assets.ubuntu.com' via HTTP. They are redirected to HTTPS, but they really shouldn't be loading via HTTP in the first place. Should be fixed to load via 'https://' URLs, or via the '//' scheme so the request matches whatever the parent page is using.

Revision history for this message
Daniel Holbach (dholbach) wrote :

Mh, could this be an issue with the files on assets?

daniel@daydream:/tmp/developer-ubuntu-com$ grep -ri http . | grep -v https | grep assets
daniel@daydream:/tmp/developer-ubuntu-com$

Revision history for this message
Daniel Holbach (dholbach) wrote :

<davidcalle> dholbach, open the js console and reload the page. It looks like it comes from http://yui.yahooapis.com/, loading a bunch of js modules, so that's part of the web guidelines framework we are using. The web team should be able to fix this.

Revision history for this message
Daniel Holbach (dholbach) wrote :

<dholbach> Mixed Content: The page at 'https://developer.ubuntu.com/en/snappy/' was loaded over HTTPS, but requested an insecure script 'http://yui.yahooapis.com/combo?gallery-2014.02.20-23-55/build/gallery-carou…o-queue-min.js&3.15.0/dump/dump-min.js&3.15.0/json-parse/json-parse-min.js'. This request has been blocked; the content must be served over HTTPS.
<ant> so YUI does not support https loading from there api site
 the developer team will need to pull the code local to the site and load it via https
 otherwise use the one loaded from assets
 you can find that one from the source of www.ubuntu.com
 dholbach, https://assets.ubuntu.com/sites/ubuntu/latest/u/js/plugins/yui-combined.min.js
<dholbach> ok, thanks

Revision history for this message
Daniel Holbach (dholbach) wrote :

It appears the issue comes from https://developer.ubuntu.com/assets/sites/ubuntu/latest/u/js/scratch.js - not sure where that's from.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.