non-SSL requests on https://explorer.continuum.io/seeds

[ahmadia]

ntent: The page at 'https://explorer.continuum.io/seeds/' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://explorer.continuum.io/api/datawake/'. This request has been blocked; the content must be served over HTTPS.

Hot-fixing for now.

[ahmadia]

Note, I've already pulled out BasicAuthentication from the REST configuration, (using Session Authentication):

REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'rest_framework.authentication.SessionAuthentication',
    ),
    'DEFAULT_PERMISSION_CLASSES': (
        'rest_framework.permissions.AllowAny',
    ),
    'DEFAULT_FILTER_BACKENDS': ('rest_framework.filters.DjangoFilterBackend',)
}

Other parts of the REST API work, it's something specific to this page/view.

[ahmadia]

@brittainhard - workaround is to ensure you've got trailing slashes on Django REST endpoints:

See jashkenas/backbone#848 for more details.

[ahmadia]

Please land the following patch when you get a chance:

diff --git a/source/base/static/base/js/backbone/trails_backbone.js b/source/base/static/base/js/backbone/trails_backbone.js
index 0d98dd7..867024a 100644
--- a/source/base/static/base/js/backbone/trails_backbone.js
+++ b/source/base/static/base/js/backbone/trails_backbone.js
@@ -5,7 +5,7 @@


   exports.Trail = Backbone.Model.extend({
-    urlRoot: "/api/datawake",
+    urlRoot: "/api/datawake/",
     defaults: {
       trail_id: 0,
       domain_name: "",
@@ -16,7 +16,7 @@


   exports.TrailsCollection = Backbone.Collection.extend({
-    url: "/api/datawake",
+    url: "/api/datawake/",
     model: exports.Trail,
   });

[ahmadia]

This is fixed in production, but not in our repository.

[ahmadia]

Found another one:

explorer.continuum.io/:1 Mixed Content: The page at 'https://explorer.continuum.io/seeds/datawake_import/' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://explorer.continuum.io/api/seeds_list/1/'. This request has been blocked; the content must be served over HTTPS.

I'm guessing it's the same issue.

[ahmadia]

I've backed it out this far:

source/base/templates/base/edit_seeds.html

  <div class="col-sm-10 col-sm-offset-1 col-md-10 col-md-offset-1">
    <input id="seeds_pk" type="hidden" value="1">
    <div id="seeds"></div>
  </div>

source/base/static/base/js/backbone/edit_seeds_backbone.js

    el: "#seeds",
    form: "#editSeedsForm",
    invalidLines: [],
    template: _.template($("#editSeedsTemplate").html()),
    initialize: function(model){
      this.model = model;
      var that = this;
      this.model.set({id: $("#seeds_pk").val()}).fetch({
        success: function(){
          that.render();
          that.setEditor();
        }
      });
    },

[ahmadia]

https://stackoverflow.com/questions/10555962/enable-django-and-tastypie-support-for-trailing-slashes

[ahmadia]

https://stackoverflow.com/questions/9097404/django-is-redirecting-from-https-to-http

[ahmadia]

Rubber-duckied my way out of this one.

If I understand what's going on correctly:

Backbone composes an incorrect request for a given seeds list using a very slightly incorrect URL:

https://explorer.continuum.io/api/seeds_list/1 instead of https://explorer.continuum.io/api/seeds_list/1/

Now there are actually a couple of ways we should be able to fix this.

Django was sending a 301 redirect back, but it's sending using an 'http' protocol, not https. So I made sure that Django knew that it needed to send HTTPS redirect responses back. This is a two-part operation.

On the nginx configuration:

      proxy_set_header X-Forwarded-Proto $scheme;

In Django settings:

SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')

Note the security warnings on SECURE_PROXY_SSL_HEADER, but this all looks correct to me.

[ahmadia]

So the patches are to nginx and settings. I think this frees us from having to worry about trailing slashes so long as Django redirects to the correct resource.

[ahmadia]

I'll close this when the commits are landed to the docker branch and pushed.

[ahmadia]

punting to 0.5 - this is fixed on explorer.continuum.io