Support HTTPS redirect #4641
Comments
agjohnson
added
Improvement
|
I think we could turn on HSTS on readthedocs.org and readthedocs.io without issues. I'm not sure we should do this for custom domains at all. I'm not strictly opposed to it, but I'm not sure we should do it, either. Turning on HSTS with a long max-age (a short max-age isn't useful) is a one-way street. You can't really go back. Once somebody's browser has received a response with HSTS for docs.example.com, that browser will never request that site over plain HTTP again. Clearing the HSTS settings for a browser is non-trivial. |
|
Yup, we've certainly hit this before. Let's focus on https first, we can come back to HSTS. |
|
@agjohnson Would like to take this up. Any pointers as to where to start? |
|
@invinciblycool I think this can be solved only for the core team, as they have access to the servers |
|
What's the status of this issue? It seems the only missing thing is enabling HSTS. In another PR, @davidfischer implemented |
I think we may never do HSTS for custom domains. HSTS for readthedocs.io can roll out anytime. For .org, it is nearly ready (see the private ops issue https://github.com/rtfd/readthedocs-ops/issues/294) The harder one is redirecting custom domain traffic HTTP -> HTTPS. To do this, we need to know that the domain is active and the certificate is deployed. Many custom domains are not setup correctly and don't have a certificate. Redirecting those would be bad. I see two ways to do HTTP -> HTTPS for custom domains:
Do you see any other way? |
|
This should be considered a security vulnerability in RTFD. Developers utilizing RTFD sometimes link to their releases which could be maliciously MITM to link to compromised artifacts. Additionally, there are vulnerabilities that can be executed by abusing the Copy-Paste functionality in browsers to hide unexpected payloads, for example when copying shell commands. Here's an example: |
|
@JLLeitschuh There's a couple things going on here:
I'm all for running the entire site over HTTPS and I do believe that would increase security and privacy. However, I would not call running a static website over HTTP a security vulnerability.
Can you go into a little more details here?
What does this have to do with an HTTPS redirect? |
That private issue is closed and it seems that it's already active.
I think the solution at nginx level is better because of performance, but I'd probably like to have the data on the db also as a "trustable source". |
HSTS is not active. We just had a few remnants of the dashboard that were served over plain HTTP and if we enable HSTS none of the dashboard can be served over HTTP. |
|
Hi folks, Just looking to see if this issue made it onto the roadmap for an upcoming release. Thank you! |
|
@AustinShalit, this issue sort of has a few things going on with it. Specifically are you asking about HTTP -> HTTPS redirects for custom domains? |
|
Sorry about not being clear. Yes, I am talking about HTTP -> HTTPS redirects for custom domains. |
|
@davidfischer It has been a week. I just wanted to make sure I didn't get lost in the notification noise. |
|
Sorry I missed this. For custom domains, this is a somewhat complicated feature and will require an architectural change on our side. Currently serving docs on a custom domain only serves static files. However, this change necessitates making sure that the cert for the domain is successfully deployed before doing the redirect. We have hundreds of custom domains that "work" but are not configured such that we can issue a certificate for them so we can't just do a redirect for all of them without breaking lots of docs. This is on the roadmap and should be completed this year, but it is not likely to be in a release in the next week or two. |
|
For others, we ended up working around this by adding a JavaScript redirect from http -> https in our sphinx theme. It's not 100% perfect, but pragmatically it has been working out great. |
|
@mrocklin This still leaves you vulnerable to a downgrade attack where a potential attacker can strip our your custom JS logic and leave them in a downgraded state. Unfortunately, I'd argue that your solution gives a false sense of security when really, none is offered there. |
|
Any new updates on this? |
|
Just an issue bump, since it was talked about being done (now last year). |
|
To update here, #6905 is scheduled for release next week and will solve this issue. In order to redirect, you need to make sure that the HTTPS flag is set on your custom domain.
|
|
Just out of curiosity, what kind of redirect was implemented? |
|
Woo! Thanks Readthedocs maintainers!
…On Thu, Apr 23, 2020 at 5:41 PM Eric Holscher ***@***.***> wrote:
Closed #4641 <#4641>
via #6905 <#6905>.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#4641 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AACKZTGX72425R3J2DNWQPDRODNZ3ANCNFSM4FVTOSQA>
.
|
@AustinShalit We currently have it as a 302 to be safe. Once we're confident in the code, we'll likely switch it to a 301. |
|
Yesssss thank you for this! |
This is a placeholder issue, we've had a few requests to enable HTTPS always on, and hey why not HSTS as well, when HTTPS is checked on the project domain admin dashboard page.
Edit: for HSTS, see #4135 instead of this issue.
The text was updated successfully, but these errors were encountered: