On Tue, Feb 15, 2011 at 4:36 PM, Walter McGinnis walter@katipo.co.nz wrote:
Now, in practice implementing this has challenges. I'm the lead developer on Kete, an open source Ruby on Rails app (http://kete.net.nz), and recently wanted to make the switch to fully HTTPS for a site and the Kete app when used with HTTPS.
I encountered the headache of mixed content warnings.
What problems does this present in practice? I notice Gmail sometimes serves mixed content without my browser complaining significantly. The UI changes a bit, but nothing worse than normal http:// UI.
All this boils down to, yes full HTTPS is best practice, but if you make use of external APIs or services, it may be hard to achieve.
Using an external API or service by including stuff from third-party sites would send users' IP addresses to those sites, which would violate Wikimedia's privacy policy, so this isn't an issue for us.