Page MenuHomePhabricator

Parsoid gives VisualEditor insecure content when using HTTPS (should use protocol-relative URLs)
Closed, ResolvedPublic

Description

When I go to https://en.wikipedia.org/wiki/User:Trevor_Parscal and click the "visualeditor" tab, my browser console says:


The page at https://en.wikipedia.org/wiki/User:Trevor_Parscal displayed insecure content from http://en.wikipedia.org/w?title=Special:FilePath/California_Bay_Area_county_map.svg&width=.

Consequently, the pretty green lock icon in Google Chrome turns yellow.


Version: unspecified
Severity: major

Details

Reference
bz43015

Event Timeline

bzimport raised the priority of this task from to High.Nov 22 2014, 1:08 AM
bzimport added a project: Parsoid.
bzimport set Reference to bz43015.

Upstream Parsoid bug: bug 42976

I am getting this issue, on the test page referenced in the bug and others, again. The URLs do not contain Special:FilePath anymore, so perhaps something was changed about how images are handled that introduced a regression? Reopening this bug since the issue appears to be essentially the same.

  • Bug 49283 has been marked as a duplicate of this bug. ***

This seems to have been unfixed in production.

Strangely, parsoid.wmflabs.org is now giving me https URLs for images.

(In reply to comment #7)

This seems to have been unfixed in production.

Specifically, Parsoid is now once again returning http:// URLs for images (except in labs, where it returns https:// URLs). MZ submitted a fix in December to make these URLs protocol-relative, but this seems to have been unfixed somehow.

Perhaps the repository URL is being grabbed from the API? That would explain why it's now a fully qualified URL, and it might explain the difference between labs and production.

Per Roan's comments, moving to Parsoid so they can fix.

We used to use a special page redirect hack, but now use the API to properly retrieve image information including the path. So the new code needs to implement some similar protocol-relative massaging for image URLs, at least for the domains we know to support both http and https.

  • Bug 49984 has been marked as a duplicate of this bug. ***

Related URL: https://gerrit.wikimedia.org/r/70344 (Gerrit Change I253b9b7a9b463439e86d7cf7975cd92f9c851e70)

Related URL: https://gerrit.wikimedia.org/r/70348 (Gerrit Change Ied95c87fda13dbea2b8c46ad1e96fde1c50c1517)

https://gerrit.wikimedia.org/r/70348 (Gerrit Change Ied95c87fda13dbea2b8c46ad1e96fde1c50c1517) | change APPROVED and MERGED [by jenkins-bot]

The fix will go out with tomorrow's Parsoid deployment.

https://gerrit.wikimedia.org/r/70344 (Gerrit Change I253b9b7a9b463439e86d7cf7975cd92f9c851e70) | change APPROVED and MERGED [by jenkins-bot]

[Parsoid component reorg by merging JS/General and General. See bug 50685 for more information. Filter bugmail on this comment. parsoidreorg20130704]