Using HTTPS for GitHub Pages in Google Chrome - html

I added a operation to use the microphone for my GitHub Pages hosted blog. But Chrome keeps on asking for media permissions again and again. I found out it Access Camera & Microphone in Chrome supports. The error message is:
"If you select Allow on a "http" URL your preference will not be remembered in future visits."
How do I set up or use HTTPS on GitHub Pages? Or at least how can I make Chrome remember to Allow in the preference.

Since June 2016 (three years later), GitHub pages do support https!
See "HTTPS for GitHub Pages"
GitHub Pages now officially1 supports HTTPS for all <username>.github.io sites. HTTPS provides a layer of encryption that prevents others from snooping on or tampering with traffic to your Pages site.
You can now visit *.github.io sites using HTTPS and configure HTTPS enforcement for your site.
With HTTPS enforcement enabled, any HTTP requests to your github.io site will be transparently redirected to HTTPS.
No need to adjust anything in your Chrome.

Github pages does not support https see https://help.github.com/articles/what-are-github-pages

Related

Web app 302 redirecting HTTP requests in Chrome 90 from embedded iframe

We recently started having issues with a web app used internally at our organization. Most users have been using Chrome to access the web app. The issue seems to correspond with the release of Chrome 90. The web app has been in place for a couple of years working with previous versions of Chrome without issue in this regard.
The web app uses an embedded iframe from a 3rd-party vendor. The vendor app does an HTTP GET to a URL within our web app to indicate success or failure. We then close the iframe and update our app accordingly. This has worked fine until recently. Now it seems that the HTTP GET from the vendor iframe is being 302 redirected to our login.
Example of 302 redirect
Prior to this and using MS Edge as the browser, the same HTTP GET gets a 200 response and our web app works as expected.
Example of HTTP 200 response
Since other browsers are continuing to work and there have been no significant changes to the web server, web app, or network access, we suspect something has changed with the latest version of Chrome and perhaps stricter security requirements. Why the 302 redirect? Does this have something with our SameSite cookie config? (Up to this point, we have done nothing specific with regards to SameSite).
We found that with the latest updates to Chrome, we had to set the ASP.Net Session cookie headers to include "SameSite=None; Secure".
This article provided the answer: https://web.dev/samesite-cookie-recipes/

How i can know if my web site generated cookies at the users Pc or not

We have a simple web site for our company, deployed under IIS. it contains 5 html pages with CSS, and some HTML web pages have links to other HTML pages, such as go to home page. now i want to check if my web site generated cookies at users machines or not? so can i do so? and usually does HTML web sites that do not have any login generated cookies?
Edit:
Using chrome development tools (F12) i have found the following:-
Load the development tools in your favourite web browser, then load your website.
In Chrome, the cookies will appear in the 'Application Tab' of the development tools, and under 'Storage' you will see 'Cookies.' Microsoft Edge has them in 'Debugger> Cookies'
Expand that and it will show all the cookies that have been delivered by your website.
It's possible for a 'HTML only' site to be delivering cookies, especially if you have 3rd party content.
Most of the cookies are generated on your Server Side and sent to the client.
You will have to go through your code and see whether it generates cookies.
Usually, if it's a regular HTML page, your server won't create a session for that and most likely that no cookie be sent to the client.
Otherwise, If you use .aspx pages or MVC (for example..) most likely that your server will generate Session Cookie and send it with the response to the client.
Another thing you'll have to check is whether your pages contain references to 3rd-party websites i.e includes of .css / .js files from CDNs like
Cloudflare - these CDNs usually put their own cookie in your client's browser.
And lastly, your pages might contain scripts like Google Analytics which put some cookies in your client's browser.
A HTML Page is not creating any cookies. Maybe you are mixing up Cache with Cookies? For example in PHP you have to define what shall be saved into a cookie. If you don't define any Cookie Variables, there won't be any cookies.

ERR_TOO_MANY_REDIRECTS error after using Cloudflare

After I started using Cloudflare I started facing this error in my website(frequently in chrome and opera).
Some of the points I have found out after testing multiple times are:
So far I have faced this problem in Google Chrome, Chromium, and Opera. Chrome being the major one for my visitors.
The inner pages are working fine. For example example.com/about-us is working fine but the error occurs when we visit example.com .
I once thought this is because of too many links in my home page. So tried removing all the links on home page but the error continued.
If I type example.com/node instead of example.com it works fine(example.com/node being the default home page of drupal website). But users generally type example.com so it can't be the solution.
In cloudflare settings I have changed the SSL mode to "Full Strict" from "Flexible" as suggested in this answer. It's been more than 10 hours but it hasn't helped so far.
I am using Godaddy's linux hosting. It's a Drupal Website.
Any clue is appreciated. Thanks in advance.
Since you are using SSL the issue most likely is due to the fact that you have some redirects on your website ( .htaccess ) to the httpS version of the site . On top of that Cloudflare have features in their Crypto section that allow you to make redirects directly from there. Thus if you have set such rules both places, you will most likely get a redirect looop.
My advice would be for you to check the Crypto section of your CloudFlare account and make sure that
Automatic HTTPS Rewrites
and
HTTP Strict Transport Security
are disabled.
Then clear the Cloudflare cache and try accessing your website from a fresh browser.
This should do the trick, if not , you should provide us with your .htaccess content so that the case can be resolved.

Are push notifications possible in html5 without fully https site?

Looks like Push notifications are finally usable for web-apps! Unfortunately, this requires https for ServiceWorker, which not all sites may have.
One thing I noticed in the spec it mentions:
if r's url's scheme is not one of "http" and "https", then:
Throw a TypeError."
So I'm confused - can the site be http, as long as it includes a serviceworker that is from https? For example, mydomain.com could include an https serviceworker from https://anotherdomain.com?
Another standard, web-api simple-push, doesn't mention requiring https (likely an omission in the documentation?), and "The user experience on Firefox Desktop has not been drawn out yet". Is the documentation on this outdated, or is push really only supported in FirefoxOS??
Simple-push, that is the current push solution in Firefox OS doesn't have anything to do with ServiceWorkers.
The next generation of push, implemented by both Google and Mozilla will be done through ServiceWorkers:
Push API spec
In that case yes, your content will need to be served over HTTPS.
Probably you will be interested in the LetsEncrypt initiative:
letsencrypt.org
A new certification authority that will help developers to transition their content over HTTPS.
Also just for development purposes, both Google and Mozilla implementations of ServiceWorkers allow you to bypass the check of the secure content, if you develop against localhost.
In the case of Mozilla you will need to enable the flag:
devtools.serviceWorkers.testing.enabled: true
But again this will be just for development, and AFAIK, Mozilla push landed or is about to land, and will be available in the nightly builds, you can follow the work here:
https://bugzilla.mozilla.org/show_bug.cgi?id=1038811
No, the new generation of push notifications (i.e. Push API) requires HTTPS.
If you need to add push notifications to a website without HTTPS you can use a third-party service like Pushpad (I am the founder) that delivers notifications on your behalf.
The text you cited from the spec is from the Cache.addAll() section (5.4).
Here's the summary of addAll() on MDN:
The addAll() method of the Cache interface takes an array of URLS, retrieves them, and adds the resulting response objects to the given cache. The request objects created during retrieval become keys to the stored response operations.
Service workers can request & cache URLs that are either HTTP or HTTPS, but a Service Worker itself can only work in its registered Scope (which must be HTTPS).
simple-push is not related to Service Workers; it seems comparable to the approaches other platforms have taken:
Apple Push Notifications
Google Cloud Messaging
I found a nice bypass workaround to allow notifications from websites and domains without SSL, hence http:// and not https:// for Firefox.
Firefox holds a file inside the Mozilla directory called permissions.sqlite which is a sqlite database file that holds the permissions for domains. You can add your domain there http://yourdomainname with permissions for notifications and it will work.
I have created a demonstration for Windows here https://gist.github.com/caviv/8df5fa11a98e0e33557f75215f691d54 in golang

Since v38, Chrome extension cannot load from HTTP URLs anymore, workaround?

The users of our website run our Chrome plugin which, amongst other things, performs cross-origin requests via XMLHttpRequest as described on the Chrome extension development pages. This has been running just fine for a few years now. However, ever since our users upgraded to the latest version of Chrome (v38), these requests have failed. Our site runs on HTTPS and some of the URLs loaded via our content script are on HTTP. The message is:
[blocked] The page at 'https://www.ourpage.com/' was loaded over
HTTPS, but ran insecure content from 'http://www.externalpage.com':
this content should also be loaded over HTTPS.
The reported line where the error occurred is in the content script where I'm issuing the HTTP call:
xhr.send(null);
I have no control over the external page and I would rather not remove SSL from our own page. Question: Is this a bug or is there a workaround that I am not aware of?
(Note: The permissions in the manifest were always set to <all_urls> which had worked for a long time. Setting it to http://*/ and https://*/ did not help.)
If possible, use the https version of that external page.
If that is not possible, use the background page to handle the AJAX request (example).