Opened 5 years ago

Last modified 5 years ago

#5127 reopened enhancement

Non HTTPS-Links: Share links and link to wiki, when being on the HTTPS page

Reported by: ToB Owned by: rails-dev@…
Priority: minor Milestone:
Component: website Version:
Keywords: https Cc:

Description

  • When trying to share an URL, the links are always HTTP links instead of HTTPS Links: https://osm.org/ -> right side -> share (link, HTML; affects: long link, short link and html-iframe link.
  • https://osm.org/help -> wiki link (at least in the DE localized version) links to HTTP instead of the HTTPS version

In principle, one can use, e.g., <a href="//osm.org/"> and then the browser should use the same protocol (HTTP vs HTTPS) as for that page, but I don't know how widely it is supported.

Change History (8)

comment:1 Changed 5 years ago by Tom Hughes

Resolution: wontfix
Status: newclosed

We have made no effort to make external links preserve the protocol, nor do I have any particular plan to do so - it would be a huge amount of work for very minimal gain.

comment:2 Changed 5 years ago by aseerel4c26

Tom, Tom... the old issue. Then keep this bug open (it even is only filed as "enhancement"!). Not a "Tom-only" bugtracker, is it? Are you trying to get a good reputation at GCHQ? Then please just ignore those security and privacy related bugs. ;-) It is okay if you are giving a sh.. regarding privacy, but please do not demand the same from all others.

Version 1, edited 5 years ago by aseerel4c26 (previous) (next) (diff)

comment:3 Changed 5 years ago by aseerel4c26

Resolution: wontfix
Status: closedreopened

comment:4 Changed 5 years ago by Tom Hughes

The problem is this bug has no defined scope - no end point when it could ever be closed.

I'm not even sure there is any logic in a theory that an page loaded over https should only link to other pages over https. Surely if you believe in "https everywhere" you should be arguing that all out links to sites which support https should be in https regardless of what protocol the source page was loaded over?

comment:5 Changed 5 years ago by aseerel4c26

Keywords: https added

I do not know of RFCs or something, but it is just good practise to use protocol-relative links if the target page is reachable via http and https. It even saves space. ;-)

What a page should not do is to open a page via http if the clicked link shows https, because the user might prefer to not open the page via http.

Scope? Hmm, its end is a bit blurry, yes. But the it mentions a few specific, prominent high-traffic links which should be changed. After this bug could be closed. On a second thought: if one would e.g. search through all interface code and replace all http links then this bug would be finished completely.

comment:6 Changed 5 years ago by Tom Hughes

Go on then - I know you know where the source is.

Don't forget to make sure it works when pages are loaded locally from file URLs when that is relevant.

Oh and of course you'll have to work out how to deal with all the URLs that are embedded in the locale files.

Still think it's easy?

comment:7 Changed 5 years ago by aseerel4c26

Tom, yes, I know where the source is. And, no, I will not do any changes currently (first: time, second: github).

Did I say it is "easy"? I think I did not.

I do not understand why you are so pissed about this topic. :-( "Not invented here"? Well, maybe just because it is totally irrelevant in your POV. As said, then please just ignore those bugs.

comment:8 Changed 5 years ago by Tom Hughes

Because I view all these bugs as my "to do list" and I endeavour to stop it growing out of control.

A database of thousands of bugs that nobody ever does anything about is of no use to anybody - all it does is hide important issues in a lot of background noise.

Note: See TracTickets for help on using tickets.