News:

Want to get involved in developing SMF, then why not lend a hand on our github!

Main Menu

If theme .zips are uploaded via HTTPS, the Theme URLs become HTTPS-only

Started by SeniorSausages, May 18, 2015, 12:06:50 AM

Previous topic - Next topic

SeniorSausages

Hi

I am a new SMF admin and recently installed SMF on version 2.0.10 for the first time.

I discovered that when I upload a theme .zip file to the site while using https, the Theme URLs automatically become HTTPS as well.

This means that when users access the site via http (no encryption), the theme files are still being sent via https.

This is undesirable for a number of reasons.  In my case in particular, I am using a self-signed cert and have no intention of getting a cert signed by one of the big TLS Cert authorities. When a new user comes to the site using http, the entire site looks broken because none of the theme assets are being loaded because the URLs are all "https", and since the TLS cert is not trusted, none of it loads.

Expected behavior: When a user visits the site via http, all of the content should be served via http. When they visit the site with https, all of the content should be delivered via https. Themes installed over https should not cause the associated asset URLs to become https-only URLs.

JBlaze

Quote from: SeniorSausages on May 18, 2015, 12:06:50 AM
I am using a self-signed cert and have no intention of getting a cert signed by one of the big TLS Cert authorities.

...why?

To answer your question, SMF automatically sets the URL to any uploaded theme to that of the HTTP protocol being used. This is because SMF is not set up to handle being accessible over HTTP and HTTPS, much like there is no multiple-domain options.

The quickest way to fix this would be to use protocol-relative URLs. For example, if your default theme path is http://www.example.com/forum/Themes/default, set it to be //www.example.com/forum/Themes/default

This allows the URLs to be set to whichever protocol is being used.
Jason Clemons
Former Team Member 2009 - 2012

SeniorSausages

That's actually helpful to know that there isn't a claim of support for both protocols at the same time. I may have reconsider my setup and change it to prevent any future issue.

FYI both http and https works perfectly if I upload the theme via http, just not if I do it via https.

Given your comment about protocol-agnostic URLs, wouldn't it be good to make that the default? That's just a rhetorical question worth thinking about. I'm not the noob here. You might have a good reason not to.

Thanks for your reply.

Oldiesmann

Protocol-independent URLs are probably the way to go, especially so we don't run afoul of security features in Firefox and Chrome (see https://developer.mozilla.org/en-US/docs/Security/MixedContent and https://support.google.com/chrome/answer/1342714?hl=en), both of which block certain content served over HTTP when the rest of the site is using HTTPS.
Michael Eshom
Christian Metal Fans

Advertisement: