More information about the Underscore mailing list

[_] https://www

Topia Russ topiaruss at gmail.com
Tue Apr 16 10:15:00 BST 2019

That’s a lot of wisdom from a single email. Thanks to Oliver1 for the thread, and Oliver2 for this response.
—r

> On 16 Apr 2019, at 10:07, Oliver Humpage <oliver at watershed.co.uk> wrote:
> 
> 
> 
>> On 15 Apr 2019, at 22:51, Oliver Kohll <oliver at agilechilli.com> wrote:
>> 
>> My assumption was that this would work pretty much all the time but from reports, it seems to fail quite often resulting in a certificate error like e.g. "NET::ERR_CERT_AUTHORITY_INVALID" from Chrome.
> 
> Easiest thing is to make http the default, and let sites redirect to https if supported. The main insecure thing would be if the user has existing login cookies for the site which then get transmitted via http on that first request: but that’s exactly what the “secure” flag on cookies is for, which the website should be setting anyway. Also most https sites issue a 301 redirect from http -> https which means the browser should cache it, so if they’ve visited before the browser will just automatically use https anyway.
> 
> So it’ll be very rare that using http will be a problem.
> 
> However, if you want to use https as the default, you’ll need to do a basic HEAD (or OPTIONS) request to see if https works, then fall back to http if it doesn’t. You could do this on the client either via XHR directly (OPTIONS should always work with CORS) or XHR to your server which then makes the request. For privacy reasons it would be best to do it client side, although it will be a lot harder to deal with all edge cases that way.
> 
> The downside to this approach is if it’s a single-use link (e.g. one of those weird password sharing sites) then depending on how the server is configured your checking request may will count as the single use.
> 
> Oliver.
> 
> -- 
> underscore_ list info/archive -> http://www.under-score.org.uk/mailman/listinfo/underscore

Russ Ferriday -- Software Product Architect, Developer, Mentor
Founder & CTO Topia Systems Ltd
topiaruss at gmail.com  --  +44 7429 518822