Download & Extend
Secure Pages » Issues

Autocomplete problem

Posted by Liberation on December 11, 2008 at 12:26am
Project:Secure Pages
Version:6.x-1.7-beta2
Component:Code
Category:support request
Priority:normal
Assigned:Unassigned
Status:closed (fixed)

Issue Summary

I've been having problems with securepages that when being logged in and continuing in https secure mode then autocomplete on user fields is not working, i.e. when overriding the "Authored by:" field on node input. The reason is the HTML code generated uses an insecure connection, and this violates "same-domain" Javascript rules. In FF 3.0.4 when I put a "C" in that field I get:

Security Error: Content at https://www.thenvfa.org/node/add/story may not load data from http://www.thenvfa.org/user/autocomplete/C.
Error: uncaught exception: [Exception... "Access to restricted URI denied"  code: "1012" nsresult: "0x805303f4 (NS_ERROR_DOM_BAD_URI)"  location: "https://www.thenvfa.org/misc/jquery.js?p Line: 13"]

and something similar happens in IE6. I can fix this in /includes/form.inc where the absolute reference is generated. A patch for R6.6 to do this is attached, but I'm not really sure that is the right way. Views?
AttachmentSize
file.inc_.r6.6.https_.patch797 bytes
Login or register to post comments

Comments

#1

Posted by Liberation on December 11, 2008 at 12:30am

I should add my securepages settings are:

Make secure only:
node/add*
node/*/edit
user/*
admin*
contact

Ignore:
*/autocomplete/*

"Switch back" is off and the two base URL's are blank.

#2

Posted by gordon on December 11, 2008 at 2:00am

I found that there was a difference between the defaults for the settings page and other pages. So reset you settings and it should fix the problem.

#3

Posted by Liberation on December 11, 2008 at 2:57am

I tried your suggestion, but it made no difference. I have however identified what I think is the root of the problem. Because of various Apache directory and rewrite issues, I have to have the following line in my /sites/default/settings.php:

$base_url = 'http://www.thenvfa.org';  // NO trailing slash!

Now, if I change the http: to https: the autocomplete works successfully. However, this means that many page accesses are forced to be via https: even when not strictly necessary. It is not possible to omit the protocol part of the URL. Is there any way to extend the definition of $base_url to pick up the current operative protocol? I've also tried setting the appropriate full URI's into the Non-secure Base URL: and Secure Base URL: entry fields and it makes no improvement.

#4

Posted by gordon on December 11, 2008 at 5:11am
Category:bug report» support request

Make sure both the "Secure Base URL: " and "Non-secure Base URL: " are correct on the secure pages settings page

#5

Posted by Liberation on January 1, 2009 at 6:26pm

Re #4, yes, I have done that and it makes no difference to this issue. You can test this easily yourself by simply setting your $base_url in /sites/default/settings.php as in #3 to your home URL (making sure it uses http://). Then try the autocomplete function, e.g. by editing a node and blanking out the Author field and typing a letter. It's useful to have the FF Error Console open when doing this.

#6

Posted by Liberation on January 5, 2009 at 1:33pm
Category:support request» bug report

#7

Posted by chadhester on July 2, 2009 at 9:26pm

This is a hack, but i changed the Ignore line that read "*/autocomplete/*" to "*autocomplete*". This got rid of an issue I've had with every other query returning an "HTTP error 302" alert. Yes, strangely, only every other query submission generated this error, while the opposite moments return a successful autocomplete list. The above hack cleared up my issues. I am considering naming my autocomplete path something else more unique and reverting the Ignore settings. Right now I have a "autocomplete/userlist" and "autocomplete/courselist".

Anyway, I hope this helps someone else, since it took me a good hour to figure out that this had something to do with the Secure Pages module.

#8

Posted by gordon on July 18, 2009 at 1:14pm
Category:bug report» support request
Status:active» fixed

This is not a hack. This is by design. Since autocomplete can be called from both secure and insecure pages. So what the ignore does is not switch between secure and insecure, so an autocomplete from a secure page will remain secure, where as it will stay insecure if it is called from an insecure page.

#9

Posted by System Message on August 1, 2009 at 1:20pm
Status:fixed» closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

#10

Posted by ElusiveMind on May 28, 2010 at 1:15pm

Just to follow up on this issue for anyone still having this problem. The solution I had was to comment out the $base_url variable in my settings.php file.

This fixed it.

#11

Posted by BrockBoland on June 1, 2011 at 1:46pm

I am, ElusiveMind. I tried the trick from chadhester in #7 (aside: hey Chad!). I tried the $base_url trick on this other issue: http://drupal.org/node/801646#comment-3657036

I've tried tweaking everything in the Secure Pages config and haven't found a working solution yet.

nobody click here