Force HTTPS in the tracking code whenever HTTPS is currently being used #12857
Conversation
mattab
added
the
c: Security
| @@ -137,7 +137,7 @@ public function generate( | |||
| 'trackNoScript' => $trackNoScript | |||
| ); | |||
|
|
|||
| if (SettingsPiwik::isHttpsForced()) { | |||
| if (ProxyHttp::isHttps()) { | |||
There was a problem hiding this comment.
Shouldn't it be if (ProxyHttp::isHttps() || SettingsPiwik::isHttpsForced()) {?
There was a problem hiding this comment.
If https is forced, Matomo is running under https. As ProxyHttp::isHttps returns true if the current protocol is https it isn't really needed to also check if https is forced
There was a problem hiding this comment.
So you cannot reach this function via non-SSL if SSL is forced? Than go ahead.
There was a problem hiding this comment.
This won't really work for example when Matomo is behind a proxy. The frontend may be running on http, but the backend on https. We've had this couple of times in the past. It may be also the other way around which happens quite often too that the frontend is https but the backend runs on http and in both cases it would be wrongly detected.
There was a problem hiding this comment.
If https is forced, Matomo is running under https. As ProxyHttp::isHttps returns true if the current protocol is https it isn't really needed to also check if https is forced
see for above reasons why it doesn't have to be the case.
|
Cheers @tsteur so this won't work as well as expected.
|
it is better to force SSL as soon as the HTTPS is working and is being used for the Tracking code page. follows up #7366 #12799