Uploaded image for project: 'FishEye'
  1. FishEye
  2. FE-3920

Support forcing SSL to improve security and eliminate bugs

    XMLWordPrintable

Details

    • Suggestion
    • Resolution: Fixed
    • None
    • None

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

    Description

      With the completion of FE-212, FishEye now supports SSL but when enabled user's can still access the application over non-SSL. This is problematic for two reasons:

      Reduced Security

      Users can subvert SSL and still login insecurely. Our internal security policies state that our applications must use SSL if they collect credentials.

      Bugs

      We encountered a scenario in v2.7.6 where if someone accessed the app over http, everything worked fine until they tried to create a Crucible review and clicked the Explore Repositories button, it hung. Debugging showed it was an http/https conflict (XSS) because our "Site URL" configuration setting had "https". 

      Unsafe JavaScript attempt to access frame with URL http://code.company.com/cru/CR-37 from frame with URL https://code.company.com/cru/CR-37/edit-browse/~author%3Djsmith/myrepo/. Domains, protocols and ports must match.

      Attachments

        Issue Links

          is related to

          Suggestion - FE-212 Provide SSL Support

          • Closed
          mentioned in

          Page Loading...

          Activity

            People

              npellow Nick
              2f4876f78753 David Hergert [Windstream]
              Votes:
              1 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: