Details
-
Type:
Task
-
Status: Closed (View Workflow)
-
Priority:
Blocker
-
Resolution: Done
-
Affects Version/s: None
-
Fix Version/s: None
-
Labels:
-
Story Points:1
-
Epic Link:
-
Sprint:Summer 4: 14 Jul - 28 Jul
Description
Situation: IGB listens on localhost port 7085 and provides various endpoints that can be hit from the user's browser, such as checking if IGB is running (http://127.0.0.1:7085/igbStatusCheck).
Problem: The current IGB endpoint is accessed through http. However, all of our sites that use the IGB endpoints (genome dashboard, [BioViz Connect|connect.bioviz.org], app store) are now configured to use https. When testing on the Safari browser Safari blocked the site from accessing the localhost IGB endpoints with the following message:
The page at https://connect.bioviz.org/base/#/iplant/home/nowlanf/SmokeTesting/H_sapiens_Dec_2013 was not allowed to display insecure content from http://127.0.0.1:7085/igbStatusCheck.
The problem seems to be that Safari has strict security settings that prevent an https site from accessing http. This issue is not present on Chrome/Firefox, but if they were to enforce more strict security it would break a lot of IGB functionality.
To replicate the issue:
Start IGB
Open Safari
Go to https://apps.bioviz.org/apps/org.lorainelab.igb.protannot
Check the console for errors/warnings
Task: Investigate how to fix this issue. A possible solution may be to change the IGB localhost to use https.
Attachments
Issue Links
- relates to
-
IGBF-2987 Fix Galaxy IGB CORS issue
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
Activity
Findings:
- When I tried to replicate the issue using the link "https://apps.bioviz.org/apps/org.lorainelab.igb.protannot". The console was showing errors and warning which was because of the mixed content i.e. we are trying to access the endpoint from a "https" enabled webpage which is server over "http".
- The issue is not seen on chrome and Firefox as the mixed content is allowed on these browser.
To know more about what mixed content is you can read following article:
https://developers.google.com/web/fundamentals/security/prevent-mixed-content/what-is-mixed-content
- Since safari 9.1 version release, as per the strict policies the mixed content access is disabled on the browser. There isn't any settings to allow such content on safari now but we can do the same on chrome and Firefox.
related links:
https://discussions.apple.com/thread/7235380
https://stackoverflow.com/questions/32883306/safari-9-disallowed-running-of-insecure-content
- As suspected by Dr. [~aloraine], we might need to shift the rest endpoint to https in order to resolve the issue.
- We can't resolve it on the browser side and when it comes to the code, it already has CORS settings which could be the potential reason for the same.
I even found a link which says safari's updated version doesn't understand "*" the wildcard in CORS settings "Access-Control-Allow-Origin" and that is why the issue occurring.
I tried to change the setting on my local IGB version to a known origin url which is "https://apps.bioviz.org/". This worked in Chrome and Firefox again but not in Safari. Then I realized that the browser is blocking the request event before it could reach the api. So I concluded that this won't change anything.
Dr. Loraine, could you please let me know your views on this?
Philip Badzuh took a deeper look at the genome dashboard code and noticed that requests made to the https IGB API endpoints don't fail. They change the browser's window location using javascript. See https://jira.transvar.org/browse/IGBF-2420 for an example of a successful request. Philip Badzuh is working on making changes in our code to resolve the problem as part of https://jira.transvar.org/browse/IGBF-2490.
Closing this as it looks like we will likely not need to support https in IGB.
Nowlan Freese - Should this be attached to Epic "Improve IGB for Users" since it would fix a bad bug affecting users?