The Mollom statistics page makes a call to http://mollom.com/statistics.swf even when the page is served using SSL via Secure Pages. This compromises the security of the session. Is there a secure version of this, or should I just switch back to non-secure mode when viewing this page?

Thanks,
Jason

Files: 
CommentFileSizeAuthor
#1 mollom.statistics-ssl.1.patch588 bytessun

Comments

Version:6.x-1.16» 7.x-2.x-dev
Status:Active» Fixed
StatusFileSize
new588 bytes

Thanks for reporting! Committed attached patch to all 2.x branches.

A new development snapshot will be available within the next 12 hours. This improvement will be available in the next official release.

Status:Fixed» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

Status:Closed (fixed)» Active

I was about to open an issue when I noticed the absolute URL starting with // (instead of http or https). Is this a usual practice? Why not https://mollom... instead of http://mollom...?

Update

After reading a bit, I see it _is_ a thing although it comes with a few caveats. Wouldn't it be safer to check if the drupal site is ssl or not, and set the correct scheme?

Status:Active» Closed (fixed)

Protocol-free URIs are a very common practice to deal with this kind of issue. As long as the host delivers the resource both on HTTPS and HTTP (which Mollom does), this is known to work, in all browsers and versions.