Re: [Dynapi-Help] secure http

[Leif W <war...@us...>]

To get the protocol name you'll need to look at the full URI
(http://site/path/file.html) and not just the URL (/path/file.html).  At
that point in the script, it is making decisions without enough
information, based only on the URL.  So, it's got to be pulled from
elsewhere.  As I said before, I never really modified the ioelement.js
(except some other minor thing), so I haven't got a good sense of what
goes on in there, yet.

Leif

----- Original Message ----- 
From: "Jeremy Wanamaker" <je...@ma...>
To: <dyn...@li...>
Sent: Wednesday, May 05, 2004 10:52 AM
Subject: Re: [Dynapi-Help] secure http


> Ok, I tried changing that http to https in ioelement.js and it worked.
> Sorry, I should have tried it before I wrote that last email.
>
> What I'm wondering now is if there is a way to differentiate between
> secure/non-secure connections so that the appropriate prefix
(http/https)
> could be attached at
>
> if (url.substr(0,1)=='/') url =
'http://'+dynapi.frame.document.domain+url;
>
> and you wouldn't have to run separate copies of dynapi for secure and
> non-secure servers.
>
>
> ----- Original Message ----- 
> From: "Jeremy Wanamaker" <je...@ma...>
> To: <dyn...@li...>
> Sent: Wednesday, May 05, 2004 10:26 AM
> Subject: Re: [Dynapi-Help] secure http
>
>
> > Leif,
> >
> > What you have described is exactly what I am trying to do.
> >
> > > script over HTTPS to get data from a MySQL server.  I've used
ioelement
> > > to talk to both Perl and PHP scripts, over HTTPS.  But in my case,
all
> > > these servers are running on the same mahine and I have total
control
> >
> > Because Mozilla crashes, I'm having a difficult time debugging the
error.
> > IE's script debugger says it's crashing in _monitorTransactions in
> > ioelement.js. at the following if statement:
> >
> >        elm=this.getScope(r[4]);
> >        if(elm && elm.document && !elm.document._tranState){
> >
> > So I'm assuming the getScope function on the previous line is
returning a
> > null value. I'm not sure why this would be, and maybe I'm way off
base.
> The
> > only other thing I'm wondering about is if the following lines are
causing
> a
> > problem in _doRequest
> >
> >             if (url.indexOf('http')!=0) {
> >                 if (url.substr(0,1)=='/') url =
> > 'http://'+dynapi.frame.document.domain+url;
> >                 else url = dynapi.documentPath+url;
> >             }
> >
> > Did you have to change these lines to set the url variable to start
with
> > https rather than http?
> >
> > Thanks for your help.
> >
> > Jeremy
> >
> >
> >
> > ----- Original Message ----- 
> > From: "Leif W" <war...@us...>
> > To: <dyn...@li...>
> > Sent: Monday, May 03, 2004 11:22 AM
> > Subject: Re: [Dynapi-Help] secure http
> >
> >
> > > Hmm, not sure about that one.  But the first part makes sense: you
don't
> > > want to start loading insecure data over a secure connection,
because
> > > then the data that is loaded is not going to be transmitted
securely,
> > > giving the false impression to the user that the entire session is
> > > secure.  The second part, about the browser going into a loop and
giving
> > > an application error, seems like a bug a Doug suggested, but I
have no
> > > idea.
> > >
> > > How are you calling this PHP script?  Is there any reason you
can't use
> > > a secure URL to the PHP script in the JS code?
> > > https://domain.dom/sql.php  Then, you are just talking HTTP over a
> > > secure connection, and the browser won't know or care what the PHP
> > > script does insecurely while talking to the database (which could
be
> > > another point of concern from the security view).  I use a plain
PHP
> > > script over HTTPS to get data from a MySQL server.  I've used
ioelement
> > > to talk to both Perl and PHP scripts, over HTTPS.  But in my case,
all
> > > these servers are running on the same mahine and I have total
control
> > > over it, so I know it's configured to work the way I expect.  I
haven't
> > > tried having the initial web page on one HTTPS server, and calling
the
> > > PHP from a separate HTTP/HTTPS server, which may be what you're
doing.
> > >
> > > If you have control over the database machine, and it's a UNIX
box, you
> > > can install a program that enables SSL connections to arbitrary
server
> > > programs, with no modification to the server.  Two such programs I
am
> > > aware of (both use OpenSSL) are stunnel and sslwrap.  I'm using
stunnel
> > > for SWAT (Samba Web Administration Tool), which doesn't use
Apache, it
> > > has it's own web server functionality, but specifically for the
task at
> > > hand.
> > >
> > > Leif
> > >
> > > ----- Original Message ----- 
> > > From: "Jeremy Wanamaker" <je...@ma...>
> > > To: <dyn...@li...>
> > > Sent: Monday, May 03, 2004 9:47 AM
> > > Subject: Re: [Dynapi-Help] secure http
> > >
> > >
> > > > Sorry, I should have been more specific in my original email. I
am
> > > using
> > > > Dynapi 3 with ioelement.js to get data from a database via php
> > > scripts. It
> > > > works fine when it's running over http (port 80). When I switch
to
> > > https
> > > > (port 443), Mozilla gives me the following warning:
> > > >
> > > > Although this page is encrypted, the information you have
entered is
> > > to be
> > > > sent over an unencrypted connection and could easily be read by
a
> > > third
> > > > party.
> > > >
> > > > It asks me if wish to continue.... I click yes and then mozilla
goes
> > > into a
> > > > loop and gets an application error. Any idea on how I can fix
this. I
> > > really
> > > > need to be able to use secure http for my application.
> > > >
> > > > Jeremy
> > > >
> > > > ----- Original Message ----- 
> > > > From: "Leif W" <war...@us...>
> > > > To: <dyn...@li...>
> > > > Sent: Friday, April 30, 2004 10:08 PM
> > > > Subject: Re: [Dynapi-Help] secure http
> > > >
> > > >
> > > > > Work in what way?  It should work fine in a general sense.
The
> > > browser
> > > > > handles the connection to the server.  The server does not
care what
> > > the
> > > > > file contents are, they are just static javascript files.  The
> > > browser
> > > > > handles running the JavaScript, the server has no part in this
> > > process.
> > > > > I have a local copy of CVS with some of my tinkerings in it,
so it's
> > > a
> > > > > "dirty" copy of the CVS, but it's 99.99% untouched.  You can
see it
> > > at
> > > > > http://dynapi.kicks-ass.net/ , and you'll see, it
automatically
> > > > > redirects to the secure site.  I did most of my work with
IOElement
> > > and
> > > > > SODA here.
> > > > >
> > > > > :D  Ohh yeah, the site is down right now, as I'm modifying
some
> > > Apache
> > > > > config settings, to get more details in my log files, and I
kind of
> > > shut
> > > > > the site off and started modifying some live files so I can't
turn
> > > it
> > > > > back up until the configs are finished.  Should be tonight or
> > > tomorrow,
> > > > > once I am able to finish.
> > > > >
> > > > > In any case, what are you trying now and what isn't working?
> > > > >
> > > > > Leif
> > > > >
> > > > > ----- Original Message ----- 
> > > > > From: "Jeremy Wanamaker" <je...@ma...>
> > > > > To: <dyn...@li...>
> > > > > Sent: Friday, April 30, 2004 3:35 PM
> > > > > Subject: [Dynapi-Help] secure http
> > > > >
> > > > >
> > > > > > Is anyone aware of a way to get DynAPI 3 working with a
secure
> > > http
> > > > > server?
> > > > > >
> > > > > > Thanks,
> > > > > >
> > > > > > Jeremy
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > -------------------------------------------------------
> > > > > This SF.Net email is sponsored by: Oracle 10g
> > > > > Get certified on the hottest thing ever to hit the market...
Oracle
> > > 10g.
> > > > > Take an Oracle 10g class now, and we'll give you the exam
FREE.
> > > > > http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> > > > > _______________________________________________
> > > > > Dynapi-Help mailing list
> > > > > Dyn...@li...
> > > > > https://lists.sourceforge.net/lists/listinfo/dynapi-help
> > > > >
> > > >
> > > >
> > > >
> > > > -------------------------------------------------------
> > > > This SF.Net email is sponsored by: Oracle 10g
> > > > Get certified on the hottest thing ever to hit the market...
Oracle
> > > 10g.
> > > > Take an Oracle 10g class now, and we'll give you the exam FREE.
> > > > http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> > > > _______________________________________________
> > > > Dynapi-Help mailing list
> > > > Dyn...@li...
> > > > https://lists.sourceforge.net/lists/listinfo/dynapi-help
> > > >
> > >
> > >
> > >
> > >
> > > -------------------------------------------------------
> > > This SF.Net email is sponsored by: Oracle 10g
> > > Get certified on the hottest thing ever to hit the market...
Oracle 10g.
>
> > > Take an Oracle 10g class now, and we'll give you the exam FREE.
> > > http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> > > _______________________________________________
> > > Dynapi-Help mailing list
> > > Dyn...@li...
> > > https://lists.sourceforge.net/lists/listinfo/dynapi-help
> > >
> >
> >
> >
> > -------------------------------------------------------
> > This SF.Net email is sponsored by: Oracle 10g
> > Get certified on the hottest thing ever to hit the market... Oracle
10g.
> > Take an Oracle 10g class now, and we'll give you the exam FREE.
> > http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> > _______________________________________________
> > Dynapi-Help mailing list
> > Dyn...@li...
> > https://lists.sourceforge.net/lists/listinfo/dynapi-help
> >
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: Oracle 10g
> Get certified on the hottest thing ever to hit the market... Oracle
10g.
> Take an Oracle 10g class now, and we'll give you the exam FREE.
> http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> _______________________________________________
> Dynapi-Help mailing list
> Dyn...@li...
> https://lists.sourceforge.net/lists/listinfo/dynapi-help
>
>