The locale module defines the constant LOCALE_TRANSLATION_DEFAULT_SERVER_PATTERN as the default server pattern for the translations. This constant currently uses the HTTP protocol. Also the settings defined in config/install/locale.settings.yml uses it too.
drupal.org has adopted HTTPS as the default protocol for all its services. When a client request an URI using HTTP protocol, the response redirect the client to the corresponding HTTPS URI.
The use of the on_redirect configuration when using the http_client_factory Drupal service ensures making only one request per translation file verification, using the Location heder as the file URI when receiving the 301 HTTP response status code.
Despite this, the default value should honour the HTTPS protocol used by drupal.org.
This could be accomplished by changing the LOCALE_TRANSLATION_DEFAULT_SERVER_PATTERN constant and the settings in config/install/locale.settings.yml to use the HTTPS protocol.
Comment | File | Size | Author |
---|---|---|---|
#13 | interdiff-2907863-10-13.txt | 788 bytes | tucho |
#13 | drupal_locale-prefer_https_over_http-2907863-13.patch | 2.23 KB | tucho |
Comments
Comment #2
tuchoI made a patch that updates the LOCALE_TRANSLATION_DEFAULT_SERVER_PATTERN constant and the settings defined in config/install/locale.settings.yml, so now they use HTTPS.
The patch apply on 8.4.x and 8.5.x too.
Comment #3
Sutharsan CreditAttribution: Sutharsan at LimoenGroen commentedI agree with making this change, is has been applied to Localization Update module too.
Just like we did in l10n_update, lets add an update script to update the configuration from 'http' to 'https' if the config has the default value.
See https://www.drupal.org/node/2907795#comment-12261794
Comment #4
tuchoHi @sutharsan
I attach a new patch and the interdiff, including the update hook that replace the config value for existing installations.
The patch should apply on 8.5.x branch too.
Comment #5
Sutharsan CreditAttribution: Sutharsan at LimoenGroen commentedThanks, for the addition. In general it looks good, just a few nits:
This sentence is all a developer / dev-ops gets to understand what the update function does. I suggest:
Update default server pattern value to use https.
For readability I propose the more compact:
Comment #6
tuchoHere is the patch with the correct code styling. I uploaded an interdiff too.
Comment #7
Sutharsan CreditAttribution: Sutharsan at LimoenGroen commentedNo more comments, I think this is ready to go. Tested the module and checked the code.
Because the change from http to https has only value when used in the field, I see no reason to add a test to this patch.
Patch currently applies to both 8.4.x and 8.5.x
Comment #8
xjmExcellent issue report! It explains the need for the fix quite clearly.
Usually we don't commit things that require update hooks to the production branch except for serious bugs due to the potential disruption (reference: https://www.drupal.org/core/d8-allowed-changes#disruption). I'll check with another committer for a second opinion on this.
Comment #9
xjmAlright, chatted about this a bit with @larowlan and since this isn't affecting the actual security of the request nor adding extra load, we agreed to add it to 8.5.x only, which means we should also rename that update hook. Thanks!
Comment #10
tuchoHi @xjm
Thank you for your feedback!
I just uploaded the patch with the renamed hook update function, and the trivial interdiff.
Regards!
Comment #11
Sutharsan CreditAttribution: Sutharsan at LimoenGroen commentedRTBC = Checked code && Tests passed.
Comment #12
Gábor HojtsyVery good patch, agreed with the issue summary being very concise also. Love to work with issues like this :)
As a general rule, we don't rely on outside factors in update functions because then if the constant is changed in a later release, the result of this update function will be different for people running it with that release vs. with an older release.
While this is not very likely, it could still happen. So we should inline the desired new value as well for that reason.
Comment #13
tuchoHi @gábor-hojtsy
I agree with your comment.
I attached a new patch that does not use the constant in the update hook.
Also, I attached an interdiff.
Comment #14
Sutharsan CreditAttribution: Sutharsan at LimoenGroen commentedChecked the content of the interdiff, checked that it is the same string as is used in the different places in the patch.
Comment #16
xjmAlright, looks good. Committed and pushed to 8.5.x. Thanks!
Comment #17
xjm