Hey,

I switched my drupal page to HTTPS and want to continue having a flattr button. Browsers such as Chrome whine about insecure content when you execute scripts from an external HTTP (unencrypted) site in that context.

Attached you can find a patch which implements a fix for this. Please include this in your next release.

Thanks,
Best regards,
Michael

CommentFileSizeAuthor
flattr-https.patch674 bytesmichael__

Comments

Letharion’s picture

Category: bug » feature

Thanks for reporting. I had to make some changes to the patch so it would work with various other fixes. Commited and pushed to 7.x-1.x.

Needs backport to 6.x.

Letharion’s picture

Status: Patch (to be ported) » Fixed

Pushed to D6 as well.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

yan’s picture

Version: 7.x-1.x-dev » 6.x-1.0-rc1
Category: feature » bug
Status: Closed (fixed) » Active

In 6.x-1.0-rc1 the js is still included through a non-secure URL:

<script type="text/javascript" src="http://api.flattr.com/js/0.6/load.js?mode=auto"></script>

Has something been forgotten in the patch? I guess this comes from line 181:

if (empty($header)) {
  drupal_set_html_head('<script type="text/javascript" src="http://api.flattr.com/js/0.6/load.js?mode=auto"></script>');
  $header = TRUE;
}
dawehner’s picture

Please create a patch.

yan’s picture

Status: Active » Fixed

My bad, it seems I looked at an older version. In 6.x-1.0-rc1 it is already implemented:

  // Only add the js once.
  static $header = FALSE;
  $scheme = (!empty($_SERVER['HTTPS']) ? 'https' : 'http');
  if (empty($header)) {
    drupal_set_html_head('<script type="text/javascript" src="' . $scheme . '://api.flattr.com/js/0.6/load.js?mode=auto"></script>');
    $header = TRUE;
  }

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.