stu at spacehopper.org
Tue Apr 16 13:15:51 BST 2019
On 2019/04/16 10:07, Oliver Humpage wrote: > > > > On 15 Apr 2019, at 22:51, Oliver Kohll <oliver at agilechilli.com> wrote: > > > > My assumption was that this would work pretty much all the time but from reports, it seems to fail quite often resulting in a certificate error like e.g. "NET::ERR_CERT_AUTHORITY_INVALID" from Chrome. > > Easiest thing is to make http the default, and let sites redirect to https if supported. The main insecure thing would be if the user has existing login cookies for the site which then get transmitted via http on that first request: but that’s exactly what the “secure” flag on cookies is for, which the website should be setting anyway. Also most https sites issue a 301 redirect from http -> https which means the browser should cache it, so if they’ve visited before the browser will just automatically use https anyway. It might be worth automatically using https for a few known common sites (facebook, twitter, linkedin, github, etc). Depending on what type of URLs are manually typed, this may account for quite a high %. > So it’ll be very rare that using http will be a problem. > > However, if you want to use https as the default, you’ll need to do a basic HEAD (or OPTIONS) request to see if https works, then fall back to http if it doesn’t. You could do this on the client either via XHR directly (OPTIONS should always work with CORS) or XHR to your server which then makes the request. For privacy reasons it would be best to do it client side, although it will be a lot harder to deal with all edge cases that way. > > The downside to this approach is if it’s a single-use link (e.g. one of those weird password sharing sites) then depending on how the server is configured your checking request may will count as the single use. In terms of deciding whether to use http or https it wouldn't need to actually make a request, just check if the TLS connection works. Though it might be advantageous to check that the URL really is valid - both to weed out typos, and to weed out autodetection problems with however the "bare URL" is auto detected.