You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@wicket.apache.org by Dmitriy Neretin <dm...@googlemail.com> on 2014/02/27 11:45:31 UTC

Potential HTTPS redirects bug with deactivated js

Hi,

I'm not sure if that a realy bug, but here is the description:

Activated JS: Start the quickstart -> Press the submit button -> See the
secured page with https!

Deactivates JS: (NoScript Firefox Plugin): Start the quickstart -> Press
the submit button -> See the secured page BUT with HTTP!

There was no proper https redirect.

If I change, the rendering strategy to REDIRECT_TO_BUFFER everything works
fine, but if I change the strategy to ONE_PASS_RENDER the https forwarding
does't work anymore. But only if I deactivate all scripts...

The problem is: I should use the ONE_PASS_RENDER strategy and I should
supoort No-JS :(


Thanks,
Dmitriy

Re: Potential HTTPS redirects bug with deactivated js

Posted by Dmitriy Neretin <dm...@googlemail.com>.

There is a workaround for the problem:

Extend RedirectPage -> anotate it with RequireHttps -> insert this page
between source (http) and target (https) pages.

The second redirect leads to the https page!

Dmitriy


2014-02-27 13:04 GMT+01:00 Dmitriy Neretin <dm...@googlemail.com>:

> Thanks for the response Sven!
>
> Issue created: https://issues.apache.org/jira/browse/WICKET-5522
>
> Dmitriy
>
>
> 2014-02-27 12:22 GMT+01:00 Sven Meier <sv...@meiers.net>:
>
> Hi Dmitriy,
>>
>> this is a bug in WebPageRenderer, so please open a Jira issue.
>>
>> A simple non-ajax button exposes the problem too, no need to tinker with
>> deactivated JS:
>>
>>         form.add(new AjaxButton("ajaxGo", form){});
>>         form.add(new Button("go"));
>>
>> Please change your quickstart before attaching it to the issue.
>>
>> Thanks
>> Sven
>>
>>
>> On 02/27/2014 11:45 AM, Dmitriy Neretin wrote:
>>
>>> Hi,
>>>
>>> I'm not sure if that a realy bug, but here is the description:
>>>
>>> Activated JS: Start the quickstart -> Press the submit button -> See the
>>> secured page with https!
>>>
>>> Deactivates JS: (NoScript Firefox Plugin): Start the quickstart -> Press
>>> the submit button -> See the secured page BUT with HTTP!
>>>
>>> There was no proper https redirect.
>>>
>>> If I change, the rendering strategy to REDIRECT_TO_BUFFER everything
>>> works fine, but if I change the strategy to ONE_PASS_RENDER the https
>>> forwarding does't work anymore. But only if I deactivate all scripts...
>>>
>>> The problem is: I should use the ONE_PASS_RENDER strategy and I should
>>> supoort No-JS :(
>>>
>>>
>>> Thanks,
>>> Dmitriy
>>>
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>>> For additional commands, e-mail: users-help@wicket.apache.org
>>>
>>
>>
>

Re: Potential HTTPS redirects bug with deactivated js

Posted by Dmitriy Neretin <dm...@googlemail.com>.

Thanks for the response Sven!

Issue created: https://issues.apache.org/jira/browse/WICKET-5522

Dmitriy


2014-02-27 12:22 GMT+01:00 Sven Meier <sv...@meiers.net>:

> Hi Dmitriy,
>
> this is a bug in WebPageRenderer, so please open a Jira issue.
>
> A simple non-ajax button exposes the problem too, no need to tinker with
> deactivated JS:
>
>         form.add(new AjaxButton("ajaxGo", form){});
>         form.add(new Button("go"));
>
> Please change your quickstart before attaching it to the issue.
>
> Thanks
> Sven
>
>
> On 02/27/2014 11:45 AM, Dmitriy Neretin wrote:
>
>> Hi,
>>
>> I'm not sure if that a realy bug, but here is the description:
>>
>> Activated JS: Start the quickstart -> Press the submit button -> See the
>> secured page with https!
>>
>> Deactivates JS: (NoScript Firefox Plugin): Start the quickstart -> Press
>> the submit button -> See the secured page BUT with HTTP!
>>
>> There was no proper https redirect.
>>
>> If I change, the rendering strategy to REDIRECT_TO_BUFFER everything
>> works fine, but if I change the strategy to ONE_PASS_RENDER the https
>> forwarding does't work anymore. But only if I deactivate all scripts...
>>
>> The problem is: I should use the ONE_PASS_RENDER strategy and I should
>> supoort No-JS :(
>>
>>
>> Thanks,
>> Dmitriy
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>> For additional commands, e-mail: users-help@wicket.apache.org
>>
>
>

Re: Potential HTTPS redirects bug with deactivated js

Posted by Sven Meier <sv...@meiers.net>.

Hi Dmitriy,

this is a bug in WebPageRenderer, so please open a Jira issue.

A simple non-ajax button exposes the problem too, no need to tinker with 
deactivated JS:

         form.add(new AjaxButton("ajaxGo", form){});
         form.add(new Button("go"));

Please change your quickstart before attaching it to the issue.

Thanks
Sven

On 02/27/2014 11:45 AM, Dmitriy Neretin wrote:
> Hi,
>
> I'm not sure if that a realy bug, but here is the description:
>
> Activated JS: Start the quickstart -> Press the submit button -> See 
> the secured page with https!
>
> Deactivates JS: (NoScript Firefox Plugin): Start the quickstart -> 
> Press the submit button -> See the secured page BUT with HTTP!
>
> There was no proper https redirect.
>
> If I change, the rendering strategy to REDIRECT_TO_BUFFER everything 
> works fine, but if I change the strategy to ONE_PASS_RENDER the https 
> forwarding does't work anymore. But only if I deactivate all scripts...
>
> The problem is: I should use the ONE_PASS_RENDER strategy and I should 
> supoort No-JS :(
>
>
> Thanks,
> Dmitriy
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org