Readthedocs.org: Canonicalisation changes protocol from https to http

Created on 2 Feb 2018  路  6Comments  路  Source: readthedocs/readthedocs.org

If you link to the page https://linuxmint-installation-guide.readthedocs.io/en/latest (without a trailing slash), the server canonicalises that address by adding a trailing slash. However, at the same time, it also changes the protocol to http, returning http://linuxmint-installation-guide.readthedocs.io/en/latest/ .

This means that, unless noticed, the user spends their subsequent time in readthedocs.io using the unsecured protocol, despite entering the site on the secured one.

The problem is most likely with the relevant Apache directive which, rather than being protocol-agnostic or force-converting to https, specifically forces the protocol to http.

I would assume that this affects all the documentation in a similar manner, not only the specific Mint documentation referred to.

Bug
Source
picture ewangi

All 6 comments

Hi, thanks for reporting, I think this is a duplicated of #714

stsewd picture stsewd on 2 Feb 2018

Ah, thanks stsewd. My apologies that I didn't notice that other post.

Goodness, has that bug report really been open for almost 4 years? Good to see it was self-assigned by humitos in late December 2017. Hopefully something will be done about it. Changing the protocol from https to http for no reason (the site appears to support both protocols) is not really on, if you don't mind me saying so.

ewangi picture ewangi on 2 Feb 2018

It _has_ been open for a while. I hear you on that. We have a lot of issues which are old, as this is an open source and volunteer run effort. This means that some bugs will remain until we have time for them. Any help would be and always is appreciated - however, judgement about our response time doesn't help anyone. Constructive criticism is preferred. :)

RichardLitt picture RichardLitt on 3 Feb 2018
👍1

Thanks, Richard. My comment wasn't a criticism, I just guessed that the issue had somehow fallen through the net and I am concerned because I believe security is an important issue. I would very gladly change the relevant piece of code if you can direct me to it (I had a quick look through the code but couldn't find it). It will be a simple change, especially if it involves an Apache directive - I will just need to modify the relevant directive to make the target url protocol-agnostic.

ewangi picture ewangi on 3 Feb 2018
👍1

@ewangi Thanks for clarifying! You're right, of course - sec is very important. @humitos Can @ewangi help at all?

RichardLitt picture RichardLitt on 3 Feb 2018

@ewangi thanks for your report!

As @stsewd mentioned this is a duplicated one. So I will close it and we can continue the technical discussion in the other issue. I added a comment.

@RichardLitt you always so kind explaining the situation. Thanks for that. I appreciate it :)

humitos picture humitos on 3 Feb 2018
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

pllim picture pllim  路  3Comments
adamjstewart picture adamjstewart  路  4Comments
cagataycali picture cagataycali  路  4Comments
humitos picture humitos  路  4Comments
JiaweiZhuang picture JiaweiZhuang  路  3Comments