Detecting whether SSL is being used

[Kevin Cernekee <ce...@gmail.com>]

Hi,

The ACRA package includes a JavaScript list function[1] which
generates an RSS feed.  The resultant XML document needs to contain
absolute URLs to other documents in the CouchDB instance.

One concern I had with this code is that the generated URLs always use
http:.  Viewing the linked pages requires logging in with admin
rights, so it is better to generate a https: URL when possible.
Ideally this would be determined based on whether the RSS feed's URL
used http or https.  Unfortunately I was not able to find any
indication of SSL status in the CouchDB JavaScript docs[2] or in the
"req" JSON object.

Another concern is that it is using "req.headers.Host" to derive the
hostname; this appears to come from the raw HTTP headers.  It is not
clear to me whether this string is validated/sanitized in 100% of all
cases.  It might be safer to take this from the server configuration
than from the user request.

Is there a way to access the URL protocol (http/https) and hostname
from JavaScript, similar to the HTTPS and HTTP_HOST environment
variables on Apache httpd?


[1] https://github.com/ACRA/acra-storage/blob/master/lists/rss.js
[2] http://docs.couchdb.org/en/latest/query-server/javascript.html

Re: Detecting whether SSL is being used

[Jens Alfke <je...@couchbase.com>]

> On Aug 12, 2014, at 1:57 PM, Kevin Cernekee <ce...@gmail.com> wrote:
> 
> The ACRA package includes a JavaScript list function[1] which
> generates an RSS feed.  The resultant XML document needs to contain
> absolute URLs to other documents in the CouchDB instance.

It's valid for a feed to contain relative URLs with absolute paths; this can help avoid needing knowledge of the server's hostname or SSL status.

For example, the URL of an article is allowed to be "/db/article1/body.html" instead of "https://example.com/db/article1/body.html". The feed processor will interpret this relative to the base URL of the website.

—Jens