Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
The module does not correctly transform the addthis urls to https which causes browsers to block the loading of the js on http leading to a javascript error since addthis is not defined which breaks all other site javascript after that point.
In classes/AddThis.php:
private function getWidgetUrl() {
$url = ($this->currentlyOnHttps() ?
$this->getBaseWidgetJsUrl() : // Not https url.
$this->transformToSecureUrl($this->getBaseWidgetJsUrl()) // Transformed to https url.
);
return check_url($url);
}
The above logic is incorrect and should be !$this->currentlyOnHttps()
. However the method transformToSecureUrl() is already checking currentlyOnHttps() so it could be reduced to:
// Transformed to https url if needed.
$url = $this->transformToSecureUrl($this->getBaseWidgetJsUrl());
return check_url($url);
All other frontend addthis urls should be passed through transformToSecureUrl() to ensure the proper handling.
Comment | File | Size | Author |
---|---|---|---|
#34 | 2285177-addthis-https_links.patch | 1.05 KB | paulsheldrake |
#30 | use_schemeless_urls_to_2285177-30.patch | 14.97 KB | Baysaa |
#27 | use_schemeless_urls_to-2285177-27.patch | 15.27 KB | matglas86 |
#21 | addthis-use_schemeless_urls-2285177-21-7.patch | 2.4 KB | matason |
Comments
Comment #1
recrit CreditAttribution: recrit at Phase2 commentedThe attached patch updates getWidgetUrl() per the above recommended change and updates all other url handling
Comment #2
mshepherd CreditAttribution: mshepherd commentedWith patch applied, addthis scripts and css get loaded properly on my https site.
Thanks.
Matthew
Comment #3
aether CreditAttribution: aether commentedConfirming this fixes https issues for me.
Comment #4
mr.andrey CreditAttribution: mr.andrey commentedI applied the patch, cleared the cache and theme registry and I'm still getting the following in the rendered code:
I'm using the widget via an AddThis "Basic toolbox" block in the footer.
Any thoughts?
Comment #5
mr.andrey CreditAttribution: mr.andrey commentedTurns out $base_url in settings.php and SSL don't play nicely. I unset the $base_url and all works well.
Comment #6
robin.vaughan CreditAttribution: robin.vaughan commentedHello,
I am using Add this - "7.x-4.0-alpha4" on a website which recently migrated from http to https. After the website URL not have a HTTPS in it the add this widgets works fine on IE, Chrome and Safari but it does not work well in Mozilla. When I click to open the Add this POP up it does not load in the pop up window.
Can any please provide me with any use full information on the same, it would be a great help.
Regards,
Robin Vaughan
Comment #7
mpdonadioWouldn't it just be easier/better to use protocol relative URLs throughout the code instead of transforming between HTTP and HTTPS?
Comment #8
jcisio CreditAttribution: jcisio commentedYes, let's so it to simplify the code. I'm posting a simple patch first, then a second patch with removal of unnecessary functions.
Comment #9
jcisio CreditAttribution: jcisio commentedA comprehensive patch. We don't need check_url (which check protocol or check_plain) because we don't output it directly, but with drupal_add_js() which already escape it properly.
So patch #8 is to be reviewed, patch #9 would be a nice to have clean up.
Comment #10
stewart.adam CreditAttribution: stewart.adam commented#9 results in a fatal error (Call to undefined method AddThis::getBaseWidgetUrl()). I believe there's a typo and
getBaseWidgetUrl
should readgetBaseWidgetJsUrl
.Comment #11
Anonymous (not verified) CreditAttribution: Anonymous commentedAnother workaround before this gets fixed: in the "Advanced Settings" at admin/config/user-interface/addthis/advanced, you can manually change all the URLs to HTTPS instead of HTTP. Seems to work for me.
Comment #12
matglas86 CreditAttribution: matglas86 commentedWe do have to keep a check in there. If someone provides its own url in http and we are on htps it will fail to use the url.
I think that patch #1 should work. I did not test it yet.
Comment #13
SocialNicheGuru CreditAttribution: SocialNicheGuru commentedthe patch no longer applies clieanly
Comment #14
matglas86 CreditAttribution: matglas86 commentedDo you mean its not a bug anymore?
Comment #15
matglas86 CreditAttribution: matglas86 commentedI tested it and created a patch based on the work that already done. But now against the latest dev. I left the schema in there. I think its better. @jcisio and @recrit will receive all the credit for this.
Comment #16
leendertdb CreditAttribution: leendertdb commentedI had the same problem, AddThis not working when website is accessed over https. Applied the patch from #15, applies cleanly and everything seems to work now. No more console errors, and functionality is restored. Thanks everyone for the effort.
Updating status to RTBC.
Comment #17
rpsuThis is purely a replica of patch #8 but applies on 7.x-4.0-alpha6. Will re-change the version tag once tests are done.
Comment #18
rpsuApparently automated testing is not enabled, so back to -dev -branch.
Comment #19
matason CreditAttribution: matason at Code Enigma commentedI tested the patch on #17, it applies cleanly and works as expected, thank you @rpsu
Comment #20
matason CreditAttribution: matason at Code Enigma commentedActually, I'm not so sure, I thought it was working but today I get a warning message when I visit /admin/config/user-interface/addthis
which is repeated and consequently the Included and Excluded services lists are empty.
I think this is caused by URI's being passed to drupal_http_request() which returns a -1002 code with the message "missing schema"
I found I had to prefix these URI's with the scheme before they were passed to drupal_http_request()
The patch attached has the one from #17 as its starting point, plus the method I added to prefix the scheme.
Has anyone else run into this or are the schemeless URI's working for you?
Comment #21
matason CreditAttribution: matason at Code Enigma commentedSorry, missed a closing bracket in that patch, this new one should be right!
Comment #22
gisleConfirming that #21 is good. It would be great to see this pushed.
Comment #23
edysmpThe patch #21 works.
Comment #24
mErilainen CreditAttribution: mErilainen at Wunder commentedSeems to work, but the protocol is appended to the url everytime I go the the settings and save them. So I need to make sure to remove the protocol when saving the values at /admin/config/user-interface/addthis/advanced
Comment #26
gislemErilainen wrote in #24:
This has now been fixed: #2713271: Everytime I 'click save configuration' another 'http' is added to each service url.
Comment #27
matglas86 CreditAttribution: matglas86 at .VDMi/ commentedI worked on this issue again because this was committed but did not work #2713271: Everytime I 'click save configuration' another 'http' is added to each service url. When looking a this issue the problem seems bigger. The root of the problem is starting at saving the url's in the configuration. We accepted all the input values and did no validation at the root of the problem.
I have changed that behavior to validate the links when saving and only load the saved url's from configuration. When validating the url on save we also handle the scheme less url better. Also when loading the widget url as admin and seeing a mismatch in the used scheme when on https we show a warning message to let the admin know it will give a problem. The message might need to be more helpful. Suggestions are welcome. This will not break the functionality but provide helpful information to correct problems. Also when you save configuration information is not altered unexpectedly.
Please review and test this patch.
I have set this state to because incorrect saving and rendering of the url (scheme) will interfere with the user when giving security warnings. We don't want that.
Comment #28
philipsens CreditAttribution: philipsens commentedPatch #27 applies cleanly. AddThis still works and I can see that the urls get loaded and contain http (which is correct). But I get these errors in the AddThis configuration:
I'm quite curious why this happens and why this happens twice. I also find it interesting that AddThis stil works.
Edit: If I change the url to https in the config it gets loaded this way.
Comment #29
Baysaa CreditAttribution: Baysaa commentedPatch at #27 applies cleanly against latest dev.
There's a small issue:
AddThis bookmark URL should not be run through addthis_url_validate. Or addthis_url_validate should accomodate for one of these URL fields to be only '#' value. In the current iteration, you can't save the Advanced Configuration page, since the "AddThis bookmark URL" field contains # as value and doesn't validate against FILTER_VALIDATE_URL.
Another issue is, I have to force https on all service URLs now as #28 says on the edit. Otherwise, if I leave it schemeless then the list of available services don't load on the Basic settings page, and displays a warning AddThis services could not be loaded from @service_url. Forcing all service URLs (except the Bookmark URL #) to be on https works on both http and https pages (mixed mode).
FYI, just to answer your question @philipsens , the above warning is displayed twice since there's 2 places where you can select it:
- Compact Menu Enabled Services
- Excluded Services
Comment #30
Baysaa CreditAttribution: Baysaa as a volunteer commentedAttached patch is basically patch at #27 but removes the validation from the "AddThis bookmark URL" field. For context, see #29
Comment #31
Baysaa CreditAttribution: Baysaa as a volunteer commentedComment #32
SocialNicheGuru CreditAttribution: SocialNicheGuru commentedI had to add https to the services link for this to work :(
Comment #33
jcisio CreditAttribution: jcisio commentedI think today we should use https in all cases. Schemeless URL is no longer considered good: https://twitter.com/paul_irish/status/588502455530311680 (oh, that tweet was on the same day I posted my schemeless url patch).
Comment #34
paulsheldrake CreditAttribution: paulsheldrake at Kanopi Studios commentedHere is a patch that does HTTPS links and not schemeless.
Comment #35
nehajyoti CreditAttribution: nehajyoti as a volunteer and at QED42 commentedThanks. Patch https://www.drupal.org/files/issues/use_schemeless_urls_to-2285177-15.patch i.e #15 works and patch https://www.drupal.org/files/issues/addthis-fix-https-2285177-1.patch does not work.