You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@couchdb.apache.org by Kevin Cernekee <ce...@gmail.com> on 2014/08/12 22:57:19 UTC
Detecting whether SSL is being used
Hi,
The ACRA package includes a JavaScript list function[1] which
generates an RSS feed. The resultant XML document needs to contain
absolute URLs to other documents in the CouchDB instance.
One concern I had with this code is that the generated URLs always use
http:. Viewing the linked pages requires logging in with admin
rights, so it is better to generate a https: URL when possible.
Ideally this would be determined based on whether the RSS feed's URL
used http or https. Unfortunately I was not able to find any
indication of SSL status in the CouchDB JavaScript docs[2] or in the
"req" JSON object.
Another concern is that it is using "req.headers.Host" to derive the
hostname; this appears to come from the raw HTTP headers. It is not
clear to me whether this string is validated/sanitized in 100% of all
cases. It might be safer to take this from the server configuration
than from the user request.
Is there a way to access the URL protocol (http/https) and hostname
from JavaScript, similar to the HTTPS and HTTP_HOST environment
variables on Apache httpd?
[1] https://github.com/ACRA/acra-storage/blob/master/lists/rss.js
[2] http://docs.couchdb.org/en/latest/query-server/javascript.html
Re: Detecting whether SSL is being used
Posted by Jens Alfke <je...@couchbase.com>.
> On Aug 12, 2014, at 1:57 PM, Kevin Cernekee <ce...@gmail.com> wrote:
>
> The ACRA package includes a JavaScript list function[1] which
> generates an RSS feed. The resultant XML document needs to contain
> absolute URLs to other documents in the CouchDB instance.
It's valid for a feed to contain relative URLs with absolute paths; this can help avoid needing knowledge of the server's hostname or SSL status.
For example, the URL of an article is allowed to be "/db/article1/body.html" instead of "https://example.com/db/article1/body.html". The feed processor will interpret this relative to the base URL of the website.
—Jens