EPrints Technical Mailing List Archive
See the EPrints wiki for instructions on how to join this mailing list and related information.
Message: #08821
< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First
Re: [EP-tech] mixed-content warnings
- To: David R Newman <drn@ecs.soton.ac.uk>, "eprints-tech@ecs.soton.ac.uk" <eprints-tech@ecs.soton.ac.uk>
- Subject: Re: [EP-tech] mixed-content warnings
- From: Tomasz Neugebauer <Tomasz.Neugebauer@concordia.ca>
- Date: Fri, 7 Jan 2022 15:30:34 +0000
CAUTION: This e-mail originated outside the University of Southampton.
Hi David,
Thank you, much appreciated.
About the IRStats2, I think maybe I was unclear, one of the references, the one in the config file, is indeed commented out by default, but this one is not:
That is part of an initialization function, so don't know if having {host} undefined in the Referrer object on IRstats2 would break anything further along?
Best wishes,
Tomasz
From: David R Newman <drn@ecs.soton.ac.uk>
Sent: Friday, January 7, 2022 7:19 AM To: Tomasz Neugebauer <Tomasz.Neugebauer@concordia.ca>; eprints-tech@ecs.soton.ac.uk <eprints-tech@ecs.soton.ac.uk> Subject: Re: [EP-tech] mixed-content warnings Attention This email originates from outside the concordia.ca domain. // Ce courriel provient de l'exterieur du domaine de concordia.ca
Hi Tomasz,
I have just been checking RFC 6265 which is about the HTTP State Management System (i.e. Cookies). Point 6 of section 5.3 (see link below) makes clear that if the domain attribute is not set then it is assumed to be the same as the current request:
https://www.rfc-editor.org/rfc/rfc6265#section-5.3
Therefore, I cannot see any scenario where the domain not being set would create a security or functional problem, as there should be no need to share EPrints cookie data between domains, (e.g. multiple web sites at an institution). The only two cookies that
EPrints deploys by default are for maintaing a logged in user's session and another for the language they have chosen if the repository is multi-language. Neither of these should need to be shared with other sites. Even if they did, the effective setting
for domain in the cookie with be the same whether $c->{host} is defined or not. So the repository system administrator would have had to manually change the $c->{cookie_domain} setting to something other than the hostname of the repository, at which point
the value for $c->{host} becomes inconsequential as it will no longer be playing a role in setting $c->{cookie_domain}.
This does not mean that the commit I made last night is inappropriate, just that functionally it will make no difference. However, at some point in the future it may concern someone (like it did us, yesterday) that the value for $c->{cookie_domain} is not being set because $c->{host} is undefined (if a repository has been configured for HTTPS only). So fixing this now will avoid concern further down the line.
David Newmam
On 07/01/2022 00:47, David R Newman wrote:
|
- Follow-Ups:
- Re: [EP-tech] mixed-content warnings
- From: Tomasz Neugebauer <Tomasz.Neugebauer@concordia.ca>
- Re: [EP-tech] mixed-content warnings
- References:
- [EP-tech] mixed-content warnings
- From: Tomasz Neugebauer <Tomasz.Neugebauer@concordia.ca>
- Re: [EP-tech] mixed-content warnings
- From: Tomasz Neugebauer <Tomasz.Neugebauer@concordia.ca>
- Re: [EP-tech] mixed-content warnings
- From: Tomasz Neugebauer <Tomasz.Neugebauer@concordia.ca>
- Re: [EP-tech] mixed-content warnings
- From: Tomasz Neugebauer <Tomasz.Neugebauer@concordia.ca>
- [EP-tech] mixed-content warnings
- Prev by Date: Re: [EP-tech] mixed-content warnings
- Next by Date: Re: [EP-tech] mixed-content warnings
- Previous by thread: [EP-tech] EPrints/CRIS
- Next by thread: [EP-tech] DOI handling in orcid_support_advance
- Index(es):