[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[THREDDS #PCI-632644]: mixed contents in Godiva2



Greetings Fan,

I have a fix in for this issue. Part of the insecure resource access was 
addressed
by https://github.com/Unidata/thredds/pull/825, but there were a few things I 
missed 
and have addressed them in https://github.com/Unidata/thredds/pull/945. To see a
live example of the fixed code, check out:

https://thredds.ucar.edu/thredds/godiva2/godiva2.html?server=https://thredds.ucar.edu/thredds/wms/grib/NCEP/HRRR/CONUS_2p5km/HRRR_CONUS_2p5km_20171108_2100.grib2

Note that there are still issues with requesting tiles for two of the 
background map from the
http://www2.demis.nl/wms/wms.ashx server. While the server does allow https 
access,
their ssl certificate is not correct and, from what I can tell, something in 
OpenLayers 
fails to allow it it load. I'm not sure if that is something I can fix or not. 
However,
there are two other map servers (NASA and NSIDC) that do work with https, and 
I've upgraded the code to use them (but the demis servers are still enabled in 
the interface).

Both of the PRs I reference above are not in the current stable version 
(4.6.10), but we should
cut a 4.6.11 stable release soon to get these fixes out.

Cheers,

Sean

> Greetings Fan,
> 
> I plan on taking at look at the issue today and will be able to update you
> tomorrow as to the status.
> 
> As a side note, I noticed the server in the logs below is setup to use the
> EarthData Login system. Did you all write some code for an authorizer in
> the TDS, or are you using Apache? I ask because I was going to write some
> c for the TDS to handle EarthData Login auth, as we know that soon all
> NASA data sources will require it, but if there is a solution in place, then 
> I will
> hold off writing anything.
> 
> Cheers,
> 
> Sean
> 
> > Hi Sean,
> >
> > I want to add a note that NASA data centers, including us here at GES DISC, 
> > are mandated to make this HTTP to HTTPS transition. We would be forced to 
> > disable Godiva if there is any security hole found, including this mixed 
> > content issue. This would upset many of our TDS users. Therefore fixing 
> > this can become quite urgent.
> >
> > If you have put this into the planning, we’d appreciate it if you could 
> > share the schedule with us. Thanks.
> >
> > -Fan
> >
> > On 11/2/17, 12:14 PM, "Unidata THREDDS Support" <address@hidden> wrote:
> >
> > Would you mind if I open a github issue on this?
> >
> > > Greetings Fan,
> > >
> > > Since we do not run over https, I haven't encountered this behavior - 
> > > thank you for your report!
> > >
> > > I'll take a look and see what can be done.
> > >
> > > Cheers,
> > >
> > > Sean
> > >
> > > > Hi. Ever since we migrated our servers from ‘HTTP’ to ‘HTTPS’, the 
> > > > Godiva visualizer stopped working with some of the browsers. The Godiva 
> > > > setting makes a number of ‘HTTP’ requests internally and the browsers 
> > > > do not like it. For a sample list of such requests see below.
> > > >
> > > > Some browsers, such as Firefox and Chrome, detects unsecure requests 
> > > > and allows to temporarily disable ‘protection’ to make Godiva work as 
> > > > usual, while others, such as Safari, are entirely unhappy.
> > > >
> > > > I wonder if you plan to fix this in the next release of THREDDS server. 
> > > > Thanks.
> > > >
> > > > -Fan
> > > >
> > > > godiva2.html:11 Mixed Content: The page at 
> > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > >  tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded over 
> > > > HTTPS, but requested an insecure stylesheet 
> > > > 'http://yui.yahooapis.com/2.5.2/build/reset-fonts-grids/reset-fonts-grids.css'.
> > > >  This request has been blocked; the content must be served over HTTPS.
> > > > godiva2.html:28 Mixed Content: The page at 
> > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > >  tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded over 
> > > > HTTPS, but requested an insecure stylesheet 
> > > > 'http://yui.yahooapis.com/2.5.2/build/treeview/assets/skins/sam/treeview.css'.
> > > >  This request has been blocked; the content must be served over HTTPS.
> > > > godiva2.html:1 Mixed Content: The page at 
> > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > >  tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded over 
> > > > HTTPS, but requested an insecure script 
> > > > 'http://yui.yahooapis.com/2.5.2/build/yahoo-dom-event/yahoo-dom-event.js'.
> > > >  This request has been blocked; the content must be served over HTTPS.
> > > > godiva2.html:1 Mixed Content: The page at 
> > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > >  tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded over 
> > > > HTTPS, but requested an insecure script 
> > > > 'http://yui.yahooapis.com/2.5.2/build/treeview/treeview-min.js'. This 
> > > > request has been blocked; the content must be served over HTTPS.
> > > > godiva2.html:33 Mixed Content: The page at 
> > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > >  tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded over 
> > > > HTTPS, but requested an insecure stylesheet 
> > > > 'http://yui.yahooapis.com/2.5.2/build/container/assets/skins/sam/container.css'.
> > > >  This request has been blocked; the content must be served over HTTPS.
> > > > godiva2.html:1 Mixed Content: The page at 
> > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > >  tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded over 
> > > > HTTPS, but requested an insecure script 
> > > > 'http://yui.yahooapis.com/2.5.2/build/container/container-min.js'. This 
> > > > request has been blocked; the content must be served over HTTPS.
> > > > godiva2.html:60 Mixed Content: The page at 
> > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > >  tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded over 
> > > > HTTPS, but requested an insecure image 
> > > > 'http://www.resc.reading.ac.uk/images/new_logo_72dpi_web.png'. This 
> > > > content should also be served over HTTPS.
> > > > godiva2.html:1 Mixed Content: The page at 
> > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > >  tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded over 
> > > > HTTPS, but requested an insecure image 
> > > > 'http://www.met.reading.ac.uk/resc/home/images/new_logo_72dpi_web.png'. 
> > > > This content should also be served over HTTPS.
> > > > www.met.reading.ac.uk/resc/home/images/new_logo_72dpi_web.png Failed to 
> > > > load resource: the server responded with a status of 404 (Not Found)
> > > > godiva2.js:264 Uncaught ReferenceError: YAHOO is not defined at 
> > > > window.onload (godiva2.js:264)
> > > > godiva2.html:1 Mixed Content: The page at 
> > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > >  tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded over 
> > > > HTTPS, but requested an insecure image 
> > > > 'http://www2.demis.nl/wms/wms.ashx?WMS=WorldMap&LAYERS=Countries%2CBathymetr...vnd.ogc.s
> > > >  e_inimage&SRS=EPSG%3A4326&BBOX=-180,-90,0,90&WIDTH=256&HEIGHT=256'. 
> > > > This content should also be served over HTTPS.
> > > > godiva2.html:1 Mixed Content: The page at 
> > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > >  tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded over 
> > > > HTTPS, but requested an insecure image 
> > > > 'http://www2.demis.nl/wms/wms.ashx?WMS=WorldMap&LAYERS=Countries%2CBathymetr...Fvnd.ogc.
> > > >  se_inimage&SRS=EPSG%3A4326&BBOX=0,-90,180,90&WIDTH=256&HEIGHT=256'. 
> > > > This content should also be served over HTTPS.
> > > > godiva2.html:1 Mixed Content: The page at 
> > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > >  tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded over 
> > > > HTTPS, but requested an insecure image 
> > > > 'http://www2.demis.nl/wms/wms.ashx?WMS=WorldMap&LAYERS=Countries%2CBathymetr...vnd.ogc.s
> > > >  e_inimage&SRS=EPSG%3A4326&BBOX=-180,-90,0,90&WIDTH=256&HEIGHT=256'. 
> > > > This content should also be served over HTTPS.
> > > > 2godiva2.html:1 Mixed Content: The page at 
> > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > >  tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded over 
> > > > HTTPS, but requested an insecure image 
> > > > 'http://www2.demis.nl/wms/wms.ashx?WMS=WorldMap&LAYERS=Countries%2CBathymetr...Fvnd.ogc.
> > > >  se_inimage&SRS=EPSG%3A4326&BBOX=0,-90,180,90&WIDTH=256&HEIGHT=256'. 
> > > > This content should also be served over HTTPS.
> > > > 2godiva2.html:1 Mixed Content: The page at 
> > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > >  tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded over 
> > > > HTTPS, but requested an insecure image 
> > > > 'http://www2.demis.nl/wms/wms.ashx?WMS=WorldMap&LAYERS=Countries%2CBathymetr...vnd.ogc.s
> > > >  e_inimage&SRS=EPSG%3A4326&BBOX=-180,-90,0,90&WIDTH=256&HEIGHT=256'. 
> > > > This content should also be served over HTTPS.
> > > > godiva2.html:1 Mixed Content: The page at 
> > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > >  tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded over 
> > > > HTTPS, but requested an insecure stylesheet 
> > > > 'http://yui.yahooapis.com/2.5.2/build/reset-fonts-grids/reset-fonts-grids.css'.
> > > >  This request has been blocked; the content must be served over HTTPS.
> > > > godiva2.html:1 Mixed Content: The page at 
> > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > >  tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded over 
> > > > HTTPS, but requested an insecure stylesheet 
> > > > 'http://yui.yahooapis.com/2.5.2/build/treeview/assets/skins/sam/treeview.css'.
> > > >  This request has been blocked; the content must be served over HTTPS.
> > > > godiva2.html:1 Mixed Content: The page at 
> > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > >  tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded over 
> > > > HTTPS, but requested an insecure stylesheet 
> > > > 'http://yui.yahooapis.com/2.5.2/build/container/assets/skins/sam/container.css'.
> > > >  This request has been blocked; the content must be served over HTTPS.
> > > >
> > > >
> > >
> >
> >
> > Ticket Details
> > ===================
> > Ticket ID: PCI-632644
> > Department: Support THREDDS
> > Priority: Normal
> > Status: Open
> > ===================
> > NOTE: All email exchanges with Unidata User Support are recorded in the 
> > Unidata inquiry tracking system and then made publicly available through 
> > the web.  If you do not want to have your interactions made available in 
> > this way, you must let us know in each email you send to us.
> >
> >
> >
> >
> >
> 

Ticket Details
===================
Ticket ID: PCI-632644
Department: Support THREDDS
Priority: High
Status: Open
===================
NOTE: All email exchanges with Unidata User Support are recorded in the Unidata 
inquiry tracking system and then made publicly available through the web.  If 
you do not want to have your interactions made available in this way, you must 
let us know in each email you send to us.