Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
The Mollom statistics page makes a call to http://mollom.com/statistics.swf even when the page is served using SSL via Secure Pages. This compromises the security of the session. Is there a secure version of this, or should I just switch back to non-secure mode when viewing this page?
Thanks,
Jason
Comment | File | Size | Author |
---|---|---|---|
#1 | mollom.statistics-ssl.1.patch | 588 bytes | sun |
Comments
Comment #1
sunThanks for reporting! Committed attached patch to all 2.x branches.
A new development snapshot will be available within the next 12 hours. This improvement will be available in the next official release.
Comment #3
Robin Millette CreditAttribution: Robin Millette commentedI was about to open an issue when I noticed the absolute URL starting with // (instead of http or https). Is this a usual practice? Why not https://mollom... instead of http://mollom...?
Update
After reading a bit, I see it _is_ a thing although it comes with a few caveats. Wouldn't it be safer to check if the drupal site is ssl or not, and set the correct scheme?
Comment #4
sunProtocol-free URIs are a very common practice to deal with this kind of issue. As long as the host delivers the resource both on HTTPS and HTTP (which Mollom does), this is known to work, in all browsers and versions.