Problem/Motivation

When Shiny is installed on a site that uses SSL, some browsers will display an insecure data warning because of the link to Open Sans hosted on Google Fonts. This warning can vary in scale from degrading quietly in Chrome all the way to a full warning dialogue in Firefox and other browsers.

Proposed resolution

Rather than include the protocol in the @import statement of the CSS, as it currently is, I propose making this a non-specific protocol version. This will enable the browser to adapt the link depending on the protocol of the referring URL. A standard non-secure site will use the http protocol while an SSL site will use the https protocol, thus eliminating the error.

Remaining tasks

I've attached a quick patch that is ready for review.

CommentFileSizeAuthor
insecure-content-warning.patch740 bytesIgnigena
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Damien Tournoud’s picture

Status: Needs review » Reviewed & tested by the community

Yep, that's a stupid oversight.

dudenhofer’s picture

Status: Reviewed & tested by the community » Fixed

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

timaholt’s picture

Status: Closed (fixed) » Needs work

Hey opened what turns out to be a related ticket: http://drupal.org/node/1975138

Making this protocol agnostic now breaks css aggregation, because the aggregation assumes the // is a local file, doesn't find it, and drops the @import line altogether.

Ignigena’s picture

Status: Needs work » Fixed

Marking this as fixed since the CSS aggregation is a separate issue located at #1975138: CSS Aggregation breaks @import rule for Open Sans font

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.