recaptime.dev / phorge
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Add client-side check for protocol mismatch

Summary:
Fixes T10402.
I tried about 50 variations on the wording and notification layout, this seemed by far the most reasonable.
Didn't implement a way to ignore the warning, which might be required - but figured this is serious and broken enough while being completely invisible 99% of the time that it's worth shouting about.

Test Plan: Messed around with $_SERVER['HTTPS'] on the server side and client_uri on the client side - saw reasonable results in all combinations.

Reviewers: #blessed_reviewers, epriestley

Reviewed By: #blessed_reviewers, epriestley

Subscribers: epriestley

Maniphest Tasks: T10402

Differential Revision: https://secure.phabricator.com/D16064

Asher Baker f0eb6f4f 814fa135

+71 -1
+9 -1
resources/celerity/map.php
··· 8 8 return array( 9 9 'names' => array( 10 10 'core.pkg.css' => 'b9927580', 11 - 'core.pkg.js' => '3f15fa62', 11 + 'core.pkg.js' => '3f2c120d', 12 12 'darkconsole.pkg.js' => 'e7393ebb', 13 13 'differential.pkg.css' => 'f3fb8324', 14 14 'differential.pkg.js' => '4b7d8f19', ··· 507 507 'rsrc/js/core/behavior-search-typeahead.js' => '06c32383', 508 508 'rsrc/js/core/behavior-select-content.js' => 'bf5374ef', 509 509 'rsrc/js/core/behavior-select-on-click.js' => '4e3e79a6', 510 + 'rsrc/js/core/behavior-setup-check-https.js' => '491416b3', 510 511 'rsrc/js/core/behavior-time-typeahead.js' => '522431f7', 511 512 'rsrc/js/core/behavior-toggle-class.js' => '92b9ec77', 512 513 'rsrc/js/core/behavior-tokenizer.js' => 'b3a4b884', ··· 692 693 'javelin-behavior-search-reorder-queries' => 'e9581f08', 693 694 'javelin-behavior-select-content' => 'bf5374ef', 694 695 'javelin-behavior-select-on-click' => '4e3e79a6', 696 + 'javelin-behavior-setup-check-https' => '491416b3', 695 697 'javelin-behavior-slowvote-embed' => '887ad43f', 696 698 'javelin-behavior-stripe-payment-form' => '3f5d6dbf', 697 699 'javelin-behavior-test-payment-form' => 'fc91ab6c', ··· 1214 1216 'phabricator-drag-and-drop-file-upload', 1215 1217 'phabricator-textareautils', 1216 1218 ), 1219 + '491416b3' => array( 1220 + 'javelin-behavior', 1221 + 'javelin-uri', 1222 + 'phabricator-notification', 1223 + ), 1217 1224 '49b73b36' => array( 1218 1225 'javelin-behavior', 1219 1226 'javelin-dom', ··· 2340 2347 'javelin-behavior-durable-column', 2341 2348 'conpherence-thread-manager', 2342 2349 'javelin-behavior-detect-timezone', 2350 + 'javelin-behavior-setup-check-https', 2343 2351 ), 2344 2352 'darkconsole.pkg.js' => array( 2345 2353 'javelin-behavior-dark-console',
+1
resources/celerity/packages.php
··· 82 82 'javelin-behavior-durable-column', 83 83 'conpherence-thread-manager', 84 84 'javelin-behavior-detect-timezone', 85 + 'javelin-behavior-setup-check-https', 85 86 ), 86 87 'core.pkg.css' => array( 87 88 'phabricator-core-css',
+22
src/view/page/PhabricatorStandardPageView.php
··· 239 239 'ignoreKey' => $ignore_key, 240 240 'ignore' => $ignore, 241 241 )); 242 + 243 + if ($user->getIsAdmin()) { 244 + $server_https = $request->isHTTPS(); 245 + $server_protocol = $server_https ? 'HTTPS' : 'HTTP'; 246 + $client_protocol = $server_https ? 'HTTP' : 'HTTPS'; 247 + 248 + $doc_name = 'Configuring a Preamble Script'; 249 + $doc_href = PhabricatorEnv::getDoclink($doc_name); 250 + 251 + Javelin::initBehavior( 252 + 'setup-check-https', 253 + array( 254 + 'server_https' => $server_https, 255 + 'doc_name' => pht('See Documentation'), 256 + 'doc_href' => $doc_href, 257 + 'message' => pht( 258 + 'Phabricator thinks you are using %s, but your '. 259 + 'client is conviced that it is using %s. This is a serious '. 260 + 'misconfiguration with subtle, but significant, consequences.', 261 + $server_protocol, $client_protocol), 262 + )); 263 + } 242 264 } 243 265 244 266 $default_img_uri =
+39
webroot/rsrc/js/core/behavior-setup-check-https.js
··· 1 + /** 2 + * @provides javelin-behavior-setup-check-https 3 + * @requires javelin-behavior 4 + * javelin-uri 5 + * phabricator-notification 6 + */ 7 + 8 + JX.behavior('setup-check-https', function(config) { 9 + 10 + var server_https = config.server_https; 11 + 12 + var client_uri = new JX.URI(window.location.href); 13 + var client_protocol = client_uri.getProtocol(); 14 + var client_https = (client_protocol === 'https'); 15 + 16 + if (server_https === client_https) { 17 + return; 18 + } 19 + 20 + var doc_link = JX.$N( 21 + 'a', 22 + { 23 + href: config.doc_href, 24 + target: '_blank' 25 + }, 26 + config.doc_name); 27 + 28 + var content = [ 29 + config.message, 30 + ' ', 31 + doc_link, 32 + ]; 33 + 34 + new JX.Notification() 35 + .alterClassName('jx-notification-alert', true) 36 + .setContent(content) 37 + .setDuration(0) 38 + .show(); 39 + });