Parsoid gives VisualEditor insecure content when using HTTPS (should use protocol-relative URLs)
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	• MZMcBride
	Dec 12 2012, 3:46 PM

Description

When I go to https://en.wikipedia.org/wiki/User:Trevor_Parscal and click the "visualeditor" tab, my browser console says:

The page at https://en.wikipedia.org/wiki/User:Trevor_Parscal displayed insecure content from http://en.wikipedia.org/w?title=Special:FilePath/California_Bay_Area_county_map.svg&width=.

Consequently, the pretty green lock icon in Google Chrome turns yellow.

Version: unspecified
Severity: major

Details

Reference: bz43015

Related Objects
Search...

		Status	Subtype	Assigned	Task
		Resolved		Inez	T45015 Parsoid gives VisualEditor insecure content when using HTTPS (should use protocol-relative URLs)
		Resolved		• GWicke	T44976 Image URLs should be protocol-relative

Event Timeline

• bzimport raised the priority of this task from to High.Nov 22 2014, 1:08 AM

• bzimport added a project: Parsoid.

• bzimport set Reference to bz43015.

• MZMcBride created this task.Dec 12 2012, 3:46 PM

Upstream Parsoid bug: bug 42976

Fixed by https://gerrit.wikimedia.org/r/38673.

Tagging with deploy-train cycle.

I am getting this issue, on the test page referenced in the bug and others, again. The URLs do not contain Special:FilePath anymore, so perhaps something was changed about how images are handled that introduced a regression? Reopening this bug since the issue appears to be essentially the same.

The page at https://en.wikipedia.org/wiki/User:Trevor_Parscal?veaction=edit displayed insecure content from http://upload.wikimedia.org/wikipedia/commons/thumb/f/ff/California_Bay_Area_county_map.svg/38px-California_Bay_Area_county_map.svg.png.

Bug 49283 has been marked as a duplicate of this bug. ***

This seems to have been unfixed in production.

Strangely, parsoid.wmflabs.org is now giving me https URLs for images.

(In reply to comment #7)

This seems to have been unfixed in production.

Specifically, Parsoid is now once again returning http:// URLs for images (except in labs, where it returns https:// URLs). MZ submitted a fix in December to make these URLs protocol-relative, but this seems to have been unfixed somehow.

Perhaps the repository URL is being grabbed from the API? That would explain why it's now a fully qualified URL, and it might explain the difference between labs and production.

Per Roan's comments, moving to Parsoid so they can fix.

We used to use a special page redirect hack, but now use the API to properly retrieve image information including the path. So the new code needs to implement some similar protocol-relative massaging for image URLs, at least for the domains we know to support both http and https.

Bug 49984 has been marked as a duplicate of this bug. ***

Related URL: https://gerrit.wikimedia.org/r/70344 (Gerrit Change I253b9b7a9b463439e86d7cf7975cd92f9c851e70)

Related URL: https://gerrit.wikimedia.org/r/70348 (Gerrit Change Ied95c87fda13dbea2b8c46ad1e96fde1c50c1517)

https://gerrit.wikimedia.org/r/70348 (Gerrit Change Ied95c87fda13dbea2b8c46ad1e96fde1c50c1517) | change APPROVED and MERGED [by jenkins-bot]

The fix will go out with tomorrow's Parsoid deployment.

https://gerrit.wikimedia.org/r/70344 (Gerrit Change I253b9b7a9b463439e86d7cf7975cd92f9c851e70) | change APPROVED and MERGED [by jenkins-bot]

[Parsoid component reorg by merging JS/General and General. See bug 50685 for more information. Filter bugmail on this comment. parsoidreorg20130704]

Parsoid gives VisualEditor insecure content when using HTTPS (should use protocol-relative URLs)Closed, ResolvedPublicActions