Use https://<cdn>/ rather than //<cdn>/ for security?

Question

Use https://<cdn>/ rather than //<cdn>/ for security?

hartwork opened this issue 4 years ago · comments

Hi!

I noticed that there are a few places in here where CDNs are referecing using //<cdn>/ rather than https://<cdn>/. To my understanding that makes requests go through HTTP rather than HTTPS without any gains. Am I missing something? Would you welcome a patch?

# git grep -h "['\"]//" | sort -u
        assert f'//cdnjs.cloudflare.com/ajax/libs/select2/{settings.SELECT2_LIB_VERSION}/css/select2.min.css' in result
        assert f'//cdnjs.cloudflare.com/ajax/libs/select2/{settings.SELECT2_LIB_VERSION}/js/select2.min.js' in result
    CSS = '//cdnjs.cloudflare.com/ajax/libs/select2/{version}/css/select2.min.css'.format(version=LIB_VERSION)
            error = driver.find_element_by_xpath('//body[@JSError]')
            f'//cdnjs.cloudflare.com/ajax/libs/select2/{settings.SELECT2_LIB_VERSION}/js/i18n/de.js',
            f'//cdnjs.cloudflare.com/ajax/libs/select2/{settings.SELECT2_LIB_VERSION}/js/i18n/en.js',
            f'//cdnjs.cloudflare.com/ajax/libs/select2/{settings.SELECT2_LIB_VERSION}/js/i18n/sr-Cyrl.js',
            f'//cdnjs.cloudflare.com/ajax/libs/select2/{settings.SELECT2_LIB_VERSION}/js/i18n/zh-CN.js',
            f'//cdnjs.cloudflare.com/ajax/libs/select2/{settings.SELECT2_LIB_VERSION}/js/i18n/zh-TW.js',
            f'//cdnjs.cloudflare.com/ajax/libs/select2/{settings.SELECT2_LIB_VERSION}/js/select2.min.js',
    I18N_PATH = '//cdnjs.cloudflare.com/ajax/libs/select2/{version}/js/i18n'.format(version=LIB_VERSION)
    JS = '//cdnjs.cloudflare.com/ajax/libs/select2/{version}/js/select2.min.js'.format(version=LIB_VERSION)
<script src="//code.jquery.com/jquery-2.1.4.min.js"></script>

Johannes Maron · Answer 1 · Fri May 22 2020 23:42:29 GMT+0800 (China Standard Time)

Hi @hartwork,

// will cause the browser to use the same scheme used by the parent page. If that is served via HTTPS, so will the asset. You can alter that behavior if you override base in your HTML head.

Anyhow, I don't see a big problem since one should server their Django site only via HTTPS and in development you always service over HTTP never file:// with runserver.

With all that being said, I will not reject a patch adding an explicit protocol. I'd welcome it :)

Best,
Joe

Sebastian Pipping · Answer 2 · Sat May 23 2020 00:35:46 GMT+0800 (China Standard Time)

I'm happy to create a pull request once my other pull requests #607 #608 #610 have been reviewed 🍻

Johannes Maron · Answer 3 · Sat May 23 2020 20:24:55 GMT+0800 (China Standard Time)

I'm happy to create a pull request once my other pull requests #607 #608 #610 have been reviewed 🍻

So, no pressure you say? 😉

Sebastian Pipping · Answer 4 · Sat May 23 2020 21:08:40 GMT+0800 (China Standard Time)

Here you go: #611