Page MenuHomePhabricator

[betacluster] "Cross-Origin Request Blocked" and "the content must be served over HTTPS" console errors
Closed, ResolvedPublic

Description

1.Go to https://en.wikipedia.beta.wmflabs.org/w/index.php?title=Special:UserLogin&returnto=Main+Page

  1. Console displays

Mixed Content: The page at 'https://en.wikipedia.beta.wmflabs.org/w/index.php?title=Special:UserLogin&returnto=Main+Page' was loaded over HTTPS, but requested an insecure script 'http://login.wikimedia.beta.wmflabs.org/wiki/Special:CentralAutoLogin/checkLoggedIn?type=script&wikiid=enwiki&proto=https&return=1&returnto=Main+Page'. This request has been blocked; the content must be served over HTTPS.

  1. Logging in can be done successfully, but then you cannot see cross-wiki notifications:

There are errors in Console - e.g.:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://he.wikipedia.beta.wmflabs.org/w/api.php?action=query&format=json&origin=https%3A%2F%2Fen%2Ewikipedia%2Ebeta%2Ewmflabs%2Eorg&centralauthtoken=e9a41cbf357879c12bab5138a6e94e132ca4&notsections=message&meta=notifications&notgroupbysection=1&notmessageunreadfirst=1&notformat=model&notlimit=25&notprop=index%7Clist%7Ccount&uselang=en&notnoforn=1&notfilter=!read. (Reason: CORS header 'Access-Control-Allow-Origin' missing).

Request URL: http://commons.wikimedia.beta.wmflabs.org/w/api.php?action=query&format=json&origin=https%3A%2F%2Fen%2Ewikipedia%2Ebeta%2Ewmflabs%2Eorg&centralauthtoken=ef49afda484c5dd23cb91af8d4b12e6b2ca4&notsections=message&meta=notifications&notgroupbysection=1&notmessageunreadfirst=1&notformat=model&notlimit=25&notprop=index%7Clist%7Ccount&uselang=en&notnoforn=1&notfilter=!read
Request Method: GET
Status Code: HTTP/1.1 503 Service Unavailable
Request Headers 12:09:15.000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:42.0) Gecko/20100101 Firefox/42.0
Referer: https://en.wikipedia.beta.wmflabs.org
Origin: https://en.wikipedia.beta.wmflabs.org
Host: commons.wikimedia.beta.wmflabs.org

Event Timeline

Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald TranscriptFeb 26 2016, 8:21 PM
greg renamed this task from [betalabs] "Cross-Origin Request Blocked" and "the content must be served over HTTPS" console errors to [betacluster] "Cross-Origin Request Blocked" and "the content must be served over HTTPS" console errors.Feb 26 2016, 8:22 PM

This seems related, but may be a separate bug: when logging in on beta labs, CentralAuth tries to send autologin requests over HTTPS and those fail:

Navigated to http://en.wikipedia.beta.wmflabs.org/w/index.php?title=Special:UserLogin&returnto=Main+Page
Navigated to http://en.wikipedia.beta.wmflabs.org/wiki/Main_Page
Main_Page:153 GET https://en.wikisource.beta.wmflabs.org/wiki/Special:CentralAutoLogin/start?type=1x1&from=enwiki net::ERR_INSECURE_RESPONSE
Main_Page:153 GET https://en.wikiversity.beta.wmflabs.org/wiki/Special:CentralAutoLogin/start?type=1x1&from=enwiki net::ERR_INSECURE_RESPONSE
Main_Page:153 GET https://en.wikinews.beta.wmflabs.org/wiki/Special:CentralAutoLogin/start?type=1x1&from=enwiki net::ERR_INSECURE_RESPONSE
Main_Page:153 GET https://meta.wikimedia.beta.wmflabs.org/wiki/Special:CentralAutoLogin/start?type=1x1&from=enwiki net::ERR_INSECURE_RESPONSE
Main_Page:153 GET https://en.wikiquote.beta.wmflabs.org/wiki/Special:CentralAutoLogin/start?type=1x1&from=enwiki net::ERR_INSECURE_RESPONSE
Main_Page:153 GET https://deployment.wikimedia.beta.wmflabs.org/wiki/Special:CentralAutoLogin/start?type=1x1&from=enwiki net::ERR_INSECURE_RESPONSE
Main_Page:153 GET https://en.wikibooks.beta.wmflabs.org/wiki/Special:CentralAutoLogin/createSession?token=[redacted]&type=1x1&from=enwiki&proto=http net::ERR_INSECURE_RESPONSE
Main_Page:153 GET https://en.wiktionary.beta.wmflabs.org/wiki/Special:CentralAutoLogin/start?type=1x1&from=enwiki net::ERR_INSECURE_RESPONSE

Probably fail due to the untrusted certificate. See {T97593} and T50501: beta: Get SSL certificates for *.{projects}.beta.wmflabs.org

Catrope removed a subscriber: Catrope.May 4 2016, 9:05 PM
hashar changed the task status from Open to Stalled.Jun 30 2016, 10:42 AM
hashar triaged this task as Low priority.
hashar added a subscriber: hashar.

Beta does not support https T50501.

hashar changed the task status from Stalled to Open.Aug 31 2016, 3:15 PM

Beta has SSL now (T50501)

AlexMonk-WMF closed this task as Resolved.Aug 31 2016, 3:29 PM
AlexMonk-WMF claimed this task.
AlexMonk-WMF added a subscriber: AlexMonk-WMF.

I think this is fixed now