Rails - Jul 2008 - ssl_requirement ajax call from non https to https

I have a page that has nothing on it that needs to be secured by SSL,
except when someone wants to hit an ajax request to login.

I don''t want to secure every page, just so that when I render a
partial that needs to be https, it''ll be protected.

I''m using the ssl_requirement plugin.

Any ideas on what to do?  Is this even possible?  Or will I have to
encrypt every single page?  I''d rather not do popup windows,
everything''s nice and slickly inserted with cool DOM manipulation.

Thanks!
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

I have a page that has nothing on it that needs to be secured by SSL,
except when someone wants to hit an ajax request to login.

I don''t want to secure every page, just so that when I render a
partial that needs to be https, it''ll be protected.

I''m using the ssl_requirement plugin.

Any ideas on what to do?  Is this even possible?  Or will I have to
encrypt every single page?  I''d rather not do popup windows,
everything''s nice and slickly inserted with cool DOM manipulation.

Thanks!
-- 
Posted via http://www.ruby-forum.com/.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

On 31 Jul 2008, at 01:46, -kinetic wrote:
>
> I have a page that has nothing on it that needs to be secured by SSL,
> except when someone wants to hit an ajax request to login.
>
> I don''t want to secure every page, just so that when I render a
> partial that needs to be https, it''ll be protected.
>
I think that single origin policy says you can''t do that. If your  
login form is a regular form then you''ll be ok.

Fred

> I''m using the ssl_requirement plugin.
>
> Any ideas on what to do?  Is this even possible?  Or will I have to
> encrypt every single page?  I''d rather not do popup windows,
> everything''s nice and slickly inserted with cool DOM manipulation.
>
> Thanks!
> >

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Yes, but a regular form will submit non ssl encrypted information, so
that would defeat the purpose.

So I need to render the partial as https... but only when I need.

Currently there''s a link_to_remote that hits an action that''s
ssl_required, but that doesn''t work unless the page that''s
going to
render that partial through ajax is also ssl_required.

Since this link_to_remote lives everywhere, that''d mean my entire site
needs to be secured by ssl.  That''s ridiculous.  I''m sure this
is a
common problem, what are people doing to solve this issue?



On Jul 31, 3:49 am, Frederick Cheung
<frederick.che...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> On 31 Jul 2008, at 01:46, -kinetic wrote:
>
>
>
> > I have a page that has nothing on it that needs to be secured by SSL,
> > except when someone wants to hit an ajax request to login.
>
> > I don''t want to secure every page, just so that when I render
a
> > partial that needs to be https, it''ll be protected.
>
> I think that single origin policy says you can''t do that. If your
> login form is a regular form then you''ll be ok.
>
> Fred
>
> > I''m using the ssl_requirement plugin.
>
> > Any ideas on what to do?  Is this even possible?  Or will I have to
> > encrypt every single page?  I''d rather not do popup windows,
> > everything''s nice and slickly inserted with cool DOM
manipulation.
>
> > Thanks!
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

On 31 Jul 2008, at 20:07, -kinetic wrote:
>
> Yes, but a regular form will submit non ssl encrypted information, so
> that would defeat the purpose.
Not if you set the url for that normal form to be an https one. Still  
doesn''t help you as far as the ajaxyness goes. Is it not acceptable  
for the link_to_remote to insert into the page a form (and for that  
form submit to be a regular non ajax form) ?

Fred
>
>
> So I need to render the partial as https... but only when I need.
>
> Currently there''s a link_to_remote that hits an action
that''s
> ssl_required, but that doesn''t work unless the page
that''s going to
> render that partial through ajax is also ssl_required.
>
> Since this link_to_remote lives everywhere, that''d mean my entire
site
> needs to be secured by ssl.  That''s ridiculous.  I''m sure
this is a
> common problem, what are people doing to solve this issue?
>
>
>
> On Jul 31, 3:49 am, Frederick Cheung
<frederick.che...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
> wrote:
>> On 31 Jul 2008, at 01:46, -kinetic wrote:
>>
>>
>>
>>> I have a page that has nothing on it that needs to be secured by  
>>> SSL,
>>> except when someone wants to hit an ajax request to login.
>>
>>> I don''t want to secure every page, just so that when I
render a
>>> partial that needs to be https, it''ll be protected.
>>
>> I think that single origin policy says you can''t do that. If
your
>> login form is a regular form then you''ll be ok.
>>
>> Fred
>>
>>> I''m using the ssl_requirement plugin.
>>
>>> Any ideas on what to do?  Is this even possible?  Or will I have to
>>> encrypt every single page?  I''d rather not do popup
windows,
>>> everything''s nice and slickly inserted with cool DOM
manipulation.
>>
>>> Thanks!
> >

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

So if I modified my form to use a https protocol, I could load up the
form without it being https, and the submission would still be SSL
secured?

On Jul 31, 12:46 pm, Frederick Cheung
<frederick.che...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> On 31 Jul 2008, at 20:07, -kinetic wrote:
>
>
>
> > Yes, but a regular form will submit non ssl encrypted information, so
> > that would defeat the purpose.
>
> Not if you set the url for that normal form to be an https one. Still
> doesn''t help you as far as the ajaxyness goes. Is it not
acceptable
> for the link_to_remote to insert into the page a form (and for that
> form submit to be a regular non ajax form) ?
>
> Fred
>
>
>
> > So I need to render the partial as https... but only when I need.
>
> > Currently there''s a link_to_remote that hits an action
that''s
> > ssl_required, but that doesn''t work unless the page
that''s going to
> > render that partial through ajax is also ssl_required.
>
> > Since this link_to_remote lives everywhere, that''d mean my
entire site
> > needs to be secured by ssl.  That''s ridiculous.  I''m
sure this is a
> > common problem, what are people doing to solve this issue?
>
> > On Jul 31, 3:49 am, Frederick Cheung
<frederick.che...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
> > wrote:
> >> On 31 Jul 2008, at 01:46, -kinetic wrote:
>
> >>> I have a page that has nothing on it that needs to be secured
by
> >>> SSL,
> >>> except when someone wants to hit an ajax request to login.
>
> >>> I don''t want to secure every page, just so that when
I render a
> >>> partial that needs to be https, it''ll be protected.
>
> >> I think that single origin policy says you can''t do that.
If your
> >> login form is a regular form then you''ll be ok.
>
> >> Fred
>
> >>> I''m using thessl_requirementplugin.
>
> >>> Any ideas on what to do?  Is this even possible?  Or will I
have to
> >>> encrypt every single page?  I''d rather not do popup
windows,
> >>> everything''s nice and slickly inserted with cool DOM
manipulation.
>
> >>> Thanks!
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

On Jul 31, 11:56 pm, -kinetic
<kineti...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> So if I modified my form to use a https protocol, I could load up the
> form without it being https, and the submission would still be SSL
> secured?
>
Yup, that should work (with a non ajax form)

Fred
> On Jul 31, 12:46 pm, Frederick Cheung
<frederick.che...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
> wrote:
>
> > On 31 Jul 2008, at 20:07, -kinetic wrote:
>
> > > Yes, but a regular form will submit non ssl encrypted
information, so
> > > that would defeat the purpose.
>
> > Not if you set the url for that normal form to be an https one. Still
> > doesn''t help you as far as the ajaxyness goes. Is it not
acceptable
> > for the link_to_remote to insert into the page a form (and for that
> > form submit to be a regular non ajax form) ?
>
> > Fred
>
> > > So I need to render the partial as https... but only when I need.
>
> > > Currently there''s a link_to_remote that hits an action
that''s
> > > ssl_required, but that doesn''t work unless the page
that''s going to
> > > render that partial through ajax is also ssl_required.
>
> > > Since this link_to_remote lives everywhere, that''d mean
my entire site
> > > needs to be secured by ssl.  That''s ridiculous.
 I''m sure this is a
> > > common problem, what are people doing to solve this issue?
>
> > > On Jul 31, 3:49 am, Frederick Cheung
<frederick.che...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
> > > wrote:
> > >> On 31 Jul 2008, at 01:46, -kinetic wrote:
>
> > >>> I have a page that has nothing on it that needs to be
secured by
> > >>> SSL,
> > >>> except when someone wants to hit an ajax request to
login.
>
> > >>> I don''t want to secure every page, just so that
when I render a
> > >>> partial that needs to be https, it''ll be
protected.
>
> > >> I think that single origin policy says you can''t do
that. If your
> > >> login form is a regular form then you''ll be ok.
>
> > >> Fred
>
> > >>> I''m using thessl_requirementplugin.
>
> > >>> Any ideas on what to do?  Is this even possible?  Or will
I have to
> > >>> encrypt every single page?  I''d rather not do
popup windows,
> > >>> everything''s nice and slickly inserted with cool
DOM manipulation.
>
> > >>> Thanks!
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

On 1 Aug 2008, at 21:18, -kinetic wrote:
>
> In theory it should work, but with this ssl_requirement plugin,
it''s
> still not happy.  When I try to give my form a protocol, it does a few
> different things:
>
> :protocol => ''https''
>
> yields this on my localhost (for testing): httpslocalhost/controller/
> action
>
hmm, protocol => ''https://'' should work if i recall
correctly.
As a test, does it work if you specify the url in full (ie just  
hardcode https://localhost/foo/bar) ?


Fred
> Which is really weird.  And nothing happens if I give it the https://
> protocol.
>
> It might be a problem with my lighty setup proxying the ssl over to
> the mongrel.  I know lighty sits on port 80, so it might not be hit
> correctly, while ssl_requirement will forward you correctly.
>
> Any other ideas?
>
> Thanks again for your help so far.
>
> On Aug 1, 12:31 am, Frederick Cheung
<frederick.che...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
> wrote:
>> On Jul 31, 11:56 pm, -kinetic
<kineti...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> So if I
>> modified my form to use a https protocol, I could load up the
>>> form without it being https, and the submission would still be SSL
>>> secured?
>>
>> Yup, that should work (with a non ajax form)
>>
>> Fred
>>
>>> On Jul 31, 12:46 pm, Frederick Cheung
<frederick.che...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
>>> wrote:
>>
>>>> On 31 Jul 2008, at 20:07, -kinetic wrote:
>>
>>>>> Yes, but a regular form will submit non ssl encrypted  
>>>>> information, so
>>>>> that would defeat the purpose.
>>
>>>> Not if you set the url for that normal form to be an https one.
>>>> Still
>>>> doesn''t help you as far as the ajaxyness goes. Is it
not acceptable
>>>> for the link_to_remote to insert into the page a form (and for
that
>>>> form submit to be a regular non ajax form) ?
>>
>>>> Fred
>>
>>>>> So I need to render the partial as https... but only when I
need.
>>
>>>>> Currently there''s a link_to_remote that hits an
action that''s
>>>>> ssl_required, but that doesn''t work unless the
page that''s going
>>>>> to
>>>>> render that partial through ajax is also ssl_required.
>>
>>>>> Since this link_to_remote lives everywhere, that''d
mean my
>>>>> entire site
>>>>> needs to be secured by ssl.  That''s ridiculous. 
I''m sure this
>>>>> is a
>>>>> common problem, what are people doing to solve this issue?
>>
>>>>> On Jul 31, 3:49 am, Frederick Cheung
<frederick.che...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
>>>>> wrote:
>>>>>> On 31 Jul 2008, at 01:46, -kinetic wrote:
>>
>>>>>>> I have a page that has nothing on it that needs to
be secured by
>>>>>>> SSL,
>>>>>>> except when someone wants to hit an ajax request to
login.
>>
>>>>>>> I don''t want to secure every page, just so
that when I render a
>>>>>>> partial that needs to be https, it''ll be
protected.
>>
>>>>>> I think that single origin policy says you
can''t do that. If your
>>>>>> login form is a regular form then you''ll be
ok.
>>
>>>>>> Fred
>>
>>>>>>> I''m using thessl_requirementplugin.
>>
>>>>>>> Any ideas on what to do?  Is this even possible? 
Or will I
>>>>>>> have to
>>>>>>> encrypt every single page?  I''d rather not
do popup windows,
>>>>>>> everything''s nice and slickly inserted
with cool DOM
>>>>>>> manipulation.
>>
>>>>>>> Thanks!
> >

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---