A simple example : in
TWikiPreferences, the PatternSkin CSS urls are configured, by default, to an absolute value, using PUBURL.
The problem is : when you access via http*s* such a TWiki site, most browsers tell the user that
some part of the page is not downloaded in a secure way, and display an unlocked lock in the status bar. This is annoying for everybody, and disturbs the newbies. And from a security point of view, you never know if the parts downloaded from the servers with a non-encrypted connection are important/sensible, or not.
The simplest solution, used by some TWiki installs I manage, is to use PUBURLPATH for the CSS, logos and icons URLs. Please note that PatternSkin templates also uses PUBURL to access javascript files... and others. Wrongly, IMHO.
I've not had a look further yet, but the way absolute URLs are used in TWiki might bring internal http links on a page viewed with http*s*, which can be a real problem in certain cases : since there is no way I know to restrict a given web to http*s*, you have to be really careful to be sure not to browse unencrypted a web you prefer to browse with ssl enabled.
-- BenVoui
Argh. The problem with using relative URLs is that many templates are dual-purpose - they can be used in displaying a page on the server, but they can also be included in mail. Also, restricting to the absolute form significantly simplifies the job of things like
PublishContrib that need to detect wiki urls and covert them to a different base.
What I thought - but never implemented - was that the context of the rendering should tell %SCRIPTURL whether to use absolute or relative URLs. i.e. if the context is "view" then use relative URLs, but if it's "mail" then use absolute urls. That way the right format can be used in the right places. I never implemented it because I have been waiting for feedback on what I did so far, and it's quite tricky to get right.
At the same time I'd really like to get rid of PUBURLPATH and use
https://develop.twiki.org/pub exclusively, converting it to work the same way (absolute when absolutely required, relative otherwise).
Can anyone work on this? I really
really haven't got time.....
CC
Read the header comment for TWiki::getScriptUrl in SVN 7715
CC
This fixed the getScriptUrl problems, great
But the PatternSkin's images, icons, CSS and Javascript code still uses absolute URLs, which means the browsers still warn about "insecure pages" as I described above. I'm reopening this bug, and reassigning it to PatternSkin.
-- BenVoui
Fixed all the PUBURL references as well.
SVN 7769
CC