On Feb 16, 2011, at 12:43 PM, Aryeh Gregor wrote:
On Tue, Feb 15, 2011 at 4:36 PM, Walter McGinnis
<walter(a)katipo.co.nz> wrote:
Now, in practice implementing this has
challenges. I'm the lead developer on Kete, an open source Ruby on Rails app
(
http://kete.net.nz), and recently wanted to make the switch to fully HTTPS for a site and
the Kete app when used with HTTPS.
I encountered the headache of mixed content warnings.
What problems does this present in practice? I notice Gmail sometimes
serves mixed content without my browser complaining significantly.
The UI changes a bit, but nothing worse than normal http:// UI.
Many versions of Internet Explorer will throw up a dialog box with a warning.
All this boils down to, yes full HTTPS is best
practice, but if you make use of external APIs or services, it may be hard to achieve.
Using an external API or service by including stuff from third-party
sites would send users' IP addresses to those sites, which would
violate Wikimedia's privacy policy, so this isn't an issue for us.
Fair enough. Every situation is different. As I had recently attempted to go full HTTPS
with a project, I thought I would share my experience of what it takes in practice.
Cheers,
Walter