[OPEN-ILS-DEV] Fixing the mixed-content warnings in My Account
Mike Rylander
mrylander at gmail.com
Fri May 29 07:32:02 EDT 2009
On Fri, May 29, 2009 at 12:38 AM, Dan Scott <denials at gmail.com> wrote:
> If I understand correctly, some browsers (hello IE!) throw up warnings
> when patrons enter "My Account" in the OPAC because there are some
> hard-coded HTTP requests mixed in with the HTTPS session. When patrons
> opt to not allow the browser to load mixed content, hilarity (or some
> miserable facsimile thereof) ensues. This is bad. Apaprently things
> are even worse in IE8.
>
> It looks like the mixed content is due to
> Open-ILS/var/web/opac/skin/default/xml/setenv.xml:
>
> setenv.xml:<!--#set var="OILS_BASE"
> value="http://${SERVER_NAME}/${OILS_OPAC_BASE}"-->
> setenv.xml: <!--#set var="OILS_OPAC_JS_HOST"
> value="http://${OILS_OPAC_JS_HOST}"-->
> setenv.xml: <!--#set var="OILS_OPAC_CSS_HOST"
> value="http://${OILS_OPAC_CSS_HOST}"-->
>
> Setting these to the following alleviates the problem:
>
> setenv.xml:<!--#set var="OILS_BASE" value="${OILS_OPAC_BASE}"-->
> setenv.xml: <!--#set var="OILS_OPAC_JS_HOST" value=""-->
> setenv.xml: <!--#set var="OILS_OPAC_CSS_HOST" value=""-->
>
> The win from having a non-scary default configuration seems to, in my
> mind, outweigh the possible balancing of JS and CSS across different
> hosts. Would there be any objection to my merging a commit that resets
> each offending var to a non-scary default value, along with a comment
> that explains what in the wide world of sports is going on?
How about we do that /AND/ supply https: versions of those three,
having the code that deals with (and makes up) the My OPAC stuff use
those. Perhaps even make that explicit in the name by putting MYOPAC
in there:
setenv.xml:<!--#set var="OILS_MYOPAC_BASE"
value="https://${SERVER_NAME}/${OILS_OPAC_BASE}"-->
setenv.xml:<!--#set var="OILS_MYOPAC_JS_HOST"
value="https://${OILS_OPAC_JS_HOST}"-->
setenv.xml:<!--#set var="OILS_MYOPAC_CSS_HOST"
value="https://${OILS_OPAC_CSS_HOST}"-->
Then My OPAC is happy in tin-foil browsers, and those sites that need
a separate content server (at least the 2 largest production sites,
that I recall OTTOMH) don't have to jump through any more hoops than
anyone else at upgrade time -- it stays as config settings. Do you
see any issues with that modification to your plan?
--
Mike Rylander
| VP, Research and Design
| Equinox Software, Inc. / The Evergreen Experts
| phone: 1-877-OPEN-ILS (673-6457)
| email: miker at esilibrary.com
| web: http://www.esilibrary.com
More information about the Open-ils-dev
mailing list