Add strict option for http url in asset #22510
Conversation
| * | ||
| * @return array | ||
| */ | ||
| protected function splitBaseUrl(array $urls, $isStrictHttp) |
| if ($sslUrls && $baseUrls !== $sslUrls) { | ||
| $this->sslPackage = new self($sslUrls, $versionStrategy); | ||
| $urlList = $this->splitBaseUrl($this->baseUrls, $isStrictHttp); | ||
| if (!empty($urlList['httpsUrl']) && $this->getContext()->isSecure()) { |
There was a problem hiding this comment.
The context is stateful, you must check isSecure in getBaseUrl, not in the constructor.
| array(false, array('http://example.com', 'http://example.net', 'https://example.com', 'https://example.net'), '', 'fooa', 'http://example.net/fooa?v1'), | ||
|
|
||
| array(true, array('http://example.com', 'http://example.net', 'https://example.com', 'https://example.net'), '', 'foo', 'https://example.com/foo?v1'), | ||
| array(true, array('http://example.com', 'http://example.net', 'https://example.com', 'https://example.net'), '', 'fooa', 'https://example.net/fooa?v1'), |
There was a problem hiding this comment.
You should add a test case with a protocol-relative URL.
| */ | ||
| private function splitBaseUrl(array $urls, $isStrictHttp) | ||
| { | ||
| $urlList = array('httpUrl' => array(), 'httpsUrl' => array(), 'fullUrl' => array()); |
There was a problem hiding this comment.
Instead of this array of arrays, having 2 private properties baseSecureUrls and baseUnsecureUrls.
|
@RedBoool thanks for contributing this feature! I'd like to ask you a question: Is really a technical issue to use HTTPS on HTTP pages? Will browsers display any warning message or will it affect your application or your end users in any other way? I know it's an issue the other way (using HTTP on HTTPS pages).
What do others think? |
|
This is not a technical issue, it's a financial issue. The aim of this PR is to help us pay the right price, no more, no less |
@RedBoool would that fit your request? ping @symfony/deciders would that be OK to you? |
|
That perfectly match my needs. |
It makes me a bit nervous... if your protocol is |
|
Moving to 4.1 as it looks like the discussion is not over. |
|
Maybe it's time to rethink this feature proposal. HTTPS is no longer optional for the web. Google and others are pushing hard to make it mandatory. According to Google's data (https://transparencyreport.google.com/https/overview) more than 70% of web traffic is now encrypted. So I guess CDNs charging more for HTTPS traffic will be soon out of the market. |
|
👎 on my side. Mixed content should be avoided, and using HTTPS everywhere is a best practice we must encourage. |
Uh oh!
There was an error while loading. Please reload this page.