This module breaks SSL websites by including non-SSL content. Please fix.

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

budda’s picture

Status: Active » Postponed (maintainer needs more info)

I don't have an SSL host to test on right now.
I've scanned over the widget code and there doesn't appear to be any absolute urls to images in the code.

Care to point me in the right direction of some offending non-SSL compatible content ?

Miszel’s picture

I may be wrong but isn't it the geo plug-in (http://www.geoplugin.net/javascript.gp) that causes the problem?

budda’s picture

Assigned: Unassigned » budda
Status: Postponed (maintainer needs more info) » Needs review

if that is the case we could alter the javascript code to load from https://www.geoplugin.net/javascript.gp but that domain has an untrusted SSL certificate.

i've amended the code to use drupal_add_js('https://www.geoplugin.net/javascript.gp', array('type' => 'external'));

Viewing my local non-SSL site I cannot see any adverse affects in Chrome or Firefox browsers regarding the certificate not being trusted.
If you could test this on your SSL enabled site and feedback that would be appreciated.

Code will be available in the -dev snapshot or directly from Git.

greggles’s picture

Status: Needs review » Fixed

If it's committed then this should probably be "fixed" - thanks for the work!

I know you'd like to get more testing, but if this doesn't work for someone they can re-open it.

onejam’s picture

Version: 7.x-1.3 » 7.x-1.4

Hi,

I'm getting this message on IE9:

"Internet explorer blocked this website from displaying content with security certificate errors"

But when cookie control is disabled the message does not show. This also happens in version 7.x-1.4 Not sure if this is a related issue?

thanks,

pjcdawkins’s picture

Version: 7.x-1.4 » 7.x-1.x-dev
Status: Fixed » Active

This is definitely not fixed. The change in #3 means that the script won't load, and in some browsers it'll give the security error in #5. SSL sites won't ever work with geoPlugin until the geoPlugin certificate is fixed.

Can you make it so that geoPlugin won't be loaded at all, if no geographical restrictions have been set by the admin?

budda’s picture

@pjcdawkins good point. CookieControl script by CivicUK imposed the requirement. I've not made the module not include it if no country is specified. I've pushed this change to the dev branch & download snapshot for now. Grab it and test it please.

budda’s picture

Status: Active » Needs work

@duvien the SSL issues are caused by the GeoPlugin domain name SSL certificate expiring back in March 2012! See https://groups.google.com/d/topic/geoplugin/NWteHjKZlSQ/discussion for more details.

Can anybody recommend an alternative to geoplugin.net ?

budda’s picture

Status: Needs work » Fixed

I've updated the CookieControl module to use https://ssl.geoplugin.net/javascript.gp and the certificate is working well on the sub domain.
Committed change to dev branch and dev snapshot will include this in due course.

onejam’s picture

Hi Budda,

I've tested it out with the new url (https://ssl.geoplugin.net/javascript.gp) and can confirm that it seems to be fixed the issue on IE.

Thanks,

DeafOldGorilla’s picture

This error's also happening (but rather more dramatically) on Opera. Users looking forward to a release now everyone gets it.

budda’s picture

Did you try release 1.5 ?

DeafOldGorilla’s picture

Yes, I'm on release 1.5, but it still gets a problem looking for the www.geoplugin.net certificate. Has the fix that was committed to dev been incorporated into 1.5?

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

ursula00’s picture

Version: 7.x-1.x-dev » 7.x-1.6

The latest release still doesn't work with SSL sites.

ursula00’s picture

Status: Closed (fixed) » Needs work
Tharna’s picture

To use geoplugin over SSL you need a key from them (http://www.geoplugin.com/webservices/ssl).
Here is a patch that adds possibility to input your SSL key and automatically switches to SSL for script url and requests if key is defined.

joshuautley’s picture

Key costs 12 pounds per year. A paid solution is not what we're about here.