From da9df53b242b2ed20662aa668f74290b3a0d86eb Mon Sep 17 00:00:00 2001
From: Jason Etheridge <jason@esilibrary.com>
Date: Thu, 10 Nov 2011 12:55:32 -0500
Subject: [PATCH] LP88653 force SSL for requests from local XUL

Modifies RemoteRequest.js to convert any http:// request URL to https:// if the
requesting location has a chrome:// protocol.

Modifies util/network.js such that any use of util.network.request (as opposed
to util.network.simple_request) will assume "secure" for the resulting request.

Adds an example to the bottom of eg_vhost.conf for forcing SSL for an entire
site (OPAC and everything), courtesy of Dan Wells.

Signed-off-by: Jason Etheridge <jason@esilibrary.com>
Signed-off-by: Dan Wells <dbw2@calvin.edu>
---
 Open-ILS/examples/apache/eg_vhost.conf                   | 5 +++++
 Open-ILS/web/opac/common/js/RemoteRequest.js             | 2 +-
 Open-ILS/xul/staff_client/chrome/content/util/network.js | 7 ++++++-
 3 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/Open-ILS/examples/apache/eg_vhost.conf b/Open-ILS/examples/apache/eg_vhost.conf
index fdcc0ff615..cf593edfe1 100644
--- a/Open-ILS/examples/apache/eg_vhost.conf
+++ b/Open-ILS/examples/apache/eg_vhost.conf
@@ -625,3 +625,8 @@ RewriteRule ^/openurl$ ${openurl:%1} [NE,PT]
         </IfModule>
     </IfModule>
 </Location>
+
+# Uncomment the following to force SSL for everything. Note that this defeats caching
+# and you will suffer a performance hit.
+#RewriteCond %{HTTPS} off
+#RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [NE,R,L]
diff --git a/Open-ILS/web/opac/common/js/RemoteRequest.js b/Open-ILS/web/opac/common/js/RemoteRequest.js
index 125f57ab02..ae43f11402 100644
--- a/Open-ILS/web/opac/common/js/RemoteRequest.js
+++ b/Open-ILS/web/opac/common/js/RemoteRequest.js
@@ -213,7 +213,7 @@ RemoteRequest.prototype.send = function(blocking) {
 			url = 'http://'+XML_HTTP_SERVER+'/'+XML_HTTP_GATEWAY;
 
 		if( url.match(/^http:/) && 
-				(this.secure || location.href.match(/^https:/)) ) {
+				(this.secure || location.href.match(/^https:/) || location.href.match(/^chrome:/) ) ) {
 			netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");
 			url = url.replace(/^http:/, 'https:');
 		}
diff --git a/Open-ILS/xul/staff_client/chrome/content/util/network.js b/Open-ILS/xul/staff_client/chrome/content/util/network.js
index 931d1745a1..fc2b5a6277 100644
--- a/Open-ILS/xul/staff_client/chrome/content/util/network.js
+++ b/Open-ILS/xul/staff_client/chrome/content/util/network.js
@@ -81,7 +81,12 @@ util.network.prototype = {
         //obj.error.sdump('D_SES','request '+ app + ' ' + name +' '+obj.error.pretty_print(sparams.slice(1,sparams.length-1))+
         //    '\noverride_params = ' + override_params + '\n_params = ' + _params + '\n');
 
-        try { 
+        try {
+
+            if (typeof _params == 'undefined') {
+                // If we're not using simple_request to get here, let's assume secure by default
+                _params = { 'secure' : true };
+            }
 
             var request =  this._request(app,name,params,f,override_params,_params);
             if (request) {
-- 
2.43.2