Add client-side check for protocol mismatch

Summary: Fixes T10402. I tried about 50 variations on the wording and notification layout, this seemed by far the most reasonable. Didn't implement a way to ignore the warning, which might be required - but figured this is serious and broken enough while being completely invisible 99% of the time that it's worth shouting about. Test Plan: Messed around with $_SERVER['HTTPS'] on the server side and client_uri on the client side - saw reasonable results in all combinations. Reviewers: #blessed_reviewers, epriestley Reviewed By: #blessed_reviewers, epriestley Subscribers: epriestley Maniphest Tasks: T10402 Differential Revision: https://secure.phabricator.com/D16064
2024-11-10 00:42:41 +01:00 · 2016-06-06 22:01:18 +00:00 · 2016-06-06 22:01:18 +00:00 · f0eb6f4fe0
commit f0eb6f4fe0
parent 814fa135b0
4 changed files with 71 additions and 1 deletions
--- a/resources/celerity/map.php
+++ b/resources/celerity/map.php
@ -8,7 +8,7 @@
 return array(
  'names' => array(
    'core.pkg.css' => 'b9927580',
-    'core.pkg.js' => '3f15fa62',
+    'core.pkg.js' => '3f2c120d',
    'darkconsole.pkg.js' => 'e7393ebb',
    'differential.pkg.css' => 'f3fb8324',
    'differential.pkg.js' => '4b7d8f19',
@ -507,6 +507,7 @@ return array(
    'rsrc/js/core/behavior-search-typeahead.js' => '06c32383',
    'rsrc/js/core/behavior-select-content.js' => 'bf5374ef',
    'rsrc/js/core/behavior-select-on-click.js' => '4e3e79a6',
+    'rsrc/js/core/behavior-setup-check-https.js' => '491416b3',
    'rsrc/js/core/behavior-time-typeahead.js' => '522431f7',
    'rsrc/js/core/behavior-toggle-class.js' => '92b9ec77',
    'rsrc/js/core/behavior-tokenizer.js' => 'b3a4b884',
@ -692,6 +693,7 @@ return array(
    'javelin-behavior-search-reorder-queries' => 'e9581f08',
    'javelin-behavior-select-content' => 'bf5374ef',
    'javelin-behavior-select-on-click' => '4e3e79a6',
+    'javelin-behavior-setup-check-https' => '491416b3',
    'javelin-behavior-slowvote-embed' => '887ad43f',
    'javelin-behavior-stripe-payment-form' => '3f5d6dbf',
    'javelin-behavior-test-payment-form' => 'fc91ab6c',
@ -1214,6 +1216,11 @@ return array(
      'phabricator-drag-and-drop-file-upload',
      'phabricator-textareautils',
    ),
+    '491416b3' => array(
+      'javelin-behavior',
+      'javelin-uri',
+      'phabricator-notification',
+    ),
    '49b73b36' => array(
      'javelin-behavior',
      'javelin-dom',
@ -2340,6 +2347,7 @@ return array(
      'javelin-behavior-durable-column',
      'conpherence-thread-manager',
      'javelin-behavior-detect-timezone',
+      'javelin-behavior-setup-check-https',
    ),
    'darkconsole.pkg.js' => array(
      'javelin-behavior-dark-console',
--- a/resources/celerity/packages.php
+++ b/resources/celerity/packages.php
@ -82,6 +82,7 @@ return array(
    'javelin-behavior-durable-column',
    'conpherence-thread-manager',
    'javelin-behavior-detect-timezone',
+    'javelin-behavior-setup-check-https',
  ),
  'core.pkg.css' => array(
    'phabricator-core-css',
--- a/src/view/page/PhabricatorStandardPageView.php
+++ b/src/view/page/PhabricatorStandardPageView.php
@ -239,6 +239,28 @@ final class PhabricatorStandardPageView extends PhabricatorBarePageView
            'ignoreKey' => $ignore_key,
            'ignore' => $ignore,
          ));
+
+        if ($user->getIsAdmin()) {
+          $server_https = $request->isHTTPS();
+          $server_protocol = $server_https ? 'HTTPS' : 'HTTP';
+          $client_protocol = $server_https ? 'HTTP' : 'HTTPS';
+
+          $doc_name = 'Configuring a Preamble Script';
+          $doc_href = PhabricatorEnv::getDoclink($doc_name);
+
+          Javelin::initBehavior(
+            'setup-check-https',
+            array(
+              'server_https' => $server_https,
+              'doc_name' => pht('See Documentation'),
+              'doc_href' => $doc_href,
+              'message' => pht(
+                'Phabricator thinks you are using %s, but your '.
+                'client is conviced that it is using %s. This is a serious '.
+                'misconfiguration with subtle, but significant, consequences.',
+                $server_protocol, $client_protocol),
+            ));
+        }
      }

      $default_img_uri =
--- a/webroot/rsrc/js/core/behavior-setup-check-https.js
+++ b/webroot/rsrc/js/core/behavior-setup-check-https.js
@ -0,0 +1,39 @@
+/**
+ * @provides javelin-behavior-setup-check-https
+ * @requires javelin-behavior
+ *           javelin-uri
+ *           phabricator-notification
+ */
+
+JX.behavior('setup-check-https', function(config) {
+
+  var server_https = config.server_https;
+
+  var client_uri = new JX.URI(window.location.href);
+  var client_protocol = client_uri.getProtocol();
+  var client_https = (client_protocol === 'https');
+
+  if (server_https === client_https) {
+    return;
+  }
+
+  var doc_link = JX.$N(
+    'a',
+    {
+      href: config.doc_href,
+      target: '_blank'
+    },
+    config.doc_name);
+
+  var content = [
+    config.message,
+    ' ',
+    doc_link,
+  ];
+
+  new JX.Notification()
+    .alterClassName('jx-notification-alert', true)
+    .setContent(content)
+    .setDuration(0)
+    .show();
+});