Details
-
Suggestion
-
Resolution: Fixed
-
None
-
None
Description
With the completion of FE-212, FishEye now supports SSL but when enabled user's can still access the application over non-SSL. This is problematic for two reasons:
Reduced Security
Users can subvert SSL and still login insecurely. Our internal security policies state that our applications must use SSL if they collect credentials.
Bugs
We encountered a scenario in v2.7.6 where if someone accessed the app over http, everything worked fine until they tried to create a Crucible review and clicked the Explore Repositories button, it hung. Debugging showed it was an http/https conflict (XSS) because our "Site URL" configuration setting had "https".
Unsafe JavaScript attempt to access frame with URL http://code.company.com/cru/CR-37 from frame with URL https://code.company.com/cru/CR-37/edit-browse/~author%3Djsmith/myrepo/. Domains, protocols and ports must match.