On Feb 16, 2011, at 12:43 PM, Aryeh Gregor wrote:
On Tue, Feb 15, 2011 at 4:36 PM, Walter McGinnis walter@katipo.co.nz wrote:
Now, in practice implementing this has challenges. I'm the lead developer on Kete, an open source Ruby on Rails app (http://kete.net.nz), and recently wanted to make the switch to fully HTTPS for a site and the Kete app when used with HTTPS.
I encountered the headache of mixed content warnings.
What problems does this present in practice? I notice Gmail sometimes serves mixed content without my browser complaining significantly. The UI changes a bit, but nothing worse than normal http:// UI.
Many versions of Internet Explorer will throw up a dialog box with a warning.
All this boils down to, yes full HTTPS is best practice, but if you make use of external APIs or services, it may be hard to achieve.
Using an external API or service by including stuff from third-party sites would send users' IP addresses to those sites, which would violate Wikimedia's privacy policy, so this isn't an issue for us.
Fair enough. Every situation is different. As I had recently attempted to go full HTTPS with a project, I thought I would share my experience of what it takes in practice.
Cheers, Walter