Page MenuHomePhabricator

Canonical URL in Store points to HTTP address, should be HTTPS
Closed, ResolvedPublic

Description

The [[ view-source:https://store.wikimedia.org/ | source code ]] at the Wikimedia Store includes a canonical URL that points to the non-HTTPS address. There's also a script directly above, that changes to the HTTPS-site.

<script>
	if (window.location.protocol == "http:") {
		var restOfUrl = window.location.href.substr(5);
		window.location.replace("https:" + restOfUrl);
	}
</script>
<link rel="canonical" href="http://store.wikimedia.org/" />

At least the canonical URL should be exchanged with the HTTPS address

Event Timeline

Volker_E created this task.Mar 29 2016, 1:30 AM
Restricted Application added a project: Traffic. · View Herald TranscriptMar 29 2016, 1:30 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
ema triaged this task as Medium priority.Jul 8 2016, 10:18 AM
Restricted Application added a project: SRE. · View Herald TranscriptJul 8 2016, 10:18 AM
BBlack moved this task from Triage to TLS on the Traffic board.Sep 30 2016, 1:48 PM
BBlack closed this task as Resolved.Jun 26 2017, 10:27 PM
BBlack claimed this task.
BBlack added a subscriber: BBlack.

Currently this looks to be fixed. The relevant snippet on the live store site is now:

<script>
        if (window.location.protocol == "http:") {
                var restOfUrl = window.location.href.substr(5);
                window.location.replace("https:" + restOfUrl);
        }
</script>
<link rel="canonical" href="https://store.wikimedia.org/" />

(and yes, they do seem to properly 301-redirect HTTP to HTTPS, so I'm not sure why the hacky JS protocol redirect is still there, but it doesn't hurt anything)