I have a page that has nothing on it that needs to be secured by SSL, except when someone wants to hit an ajax request to login.
I don't want to secure every page, just so that when I render a partial that needs to be https, it'll be protected.
I'm using the ssl_requirement plugin.
Any ideas on what to do? Is this even possible? Or will I have to encrypt every single page? I'd rather not do popup windows, everything's nice and slickly inserted with cool DOM manipulation.
Thanks!
I have a page that has nothing on it that needs to be secured by SSL, except when someone wants to hit an ajax request to login.
I don't want to secure every page, just so that when I render a partial that needs to be https, it'll be protected.
I think that single origin policy says you can't do that. If your
login form is a regular form then you'll be ok.
Fred
Yes, but a regular form will submit non ssl encrypted information, so that would defeat the purpose.
So I need to render the partial as https... but only when I need.
Currently there's a link_to_remote that hits an action that's ssl_required, but that doesn't work unless the page that's going to render that partial through ajax is also ssl_required.
Since this link_to_remote lives everywhere, that'd mean my entire site needs to be secured by ssl. That's ridiculous. I'm sure this is a common problem, what are people doing to solve this issue?
Yes, but a regular form will submit non ssl encrypted information, so that would defeat the purpose.
Not if you set the url for that normal form to be an https one. Still
doesn't help you as far as the ajaxyness goes. Is it not acceptable
for the link_to_remote to insert into the page a form (and for that
form submit to be a regular non ajax form) ?
Fred
So if I modified my form to use a https protocol, I could load up the form without it being https, and the submission would still be SSL secured?
So if I modified my form to use a https protocol, I could load up the form without it being https, and the submission would still be SSL secured?
Yup, that should work (with a non ajax form)
Fred
In theory it should work, but with this ssl_requirement plugin, it's still not happy. When I try to give my form a protocol, it does a few different things:
:protocol => 'https'
yields this on my localhost (for testing): httpslocalhost/controller/ action
Which is really weird. And nothing happens if I give it the https:// protocol.
It might be a problem with my lighty setup proxying the ssl over to the mongrel. I know lighty sits on port 80, so it might not be hit correctly, while ssl_requirement will forward you correctly.
Any other ideas?
Thanks again for your help so far.
In theory it should work, but with this ssl_requirement plugin, it's still not happy. When I try to give my form a protocol, it does a few different things:
:protocol => 'https'
yields this on my localhost (for testing): httpslocalhost/controller/ action
hmm, protocol => 'https://' should work if i recall correctly.
As a test, does it work if you specify the url in full (ie just
hardcode https://localhost/foo/bar) ?
Fred
protocol => 'https://' does work, but it's weird that we have to include the ://.
Anyway, I ended up using the iframe trick of doing a target in the form tag.
I still can't believe more people don't have this issue?
I'm getting a problem now that it's no longer AJAX'y. I'm using a responds_to_parent plugin which doesn't seem to be working either.
Nobody else has ever come across this issue?