ohloh over https?!

Hello *,

we're running our project website http://jfire.org entirely over https and want to integrate the http://www.ohloh.net/projects/10703/widgets/projectpartnerbadge "partner badge". When I integrate this badge as indicated on http://www.ohloh.net/projects/10703/widgets many browsers show warning/error messages due to the inclusion of insecure (plain-text) content into a secure (ssl) website.

Unfortunately, it seems ohloh.net is not available on https at all. Could you please provide the ohloh service on https, too? It is not only useful for our situation, but would provide more security during login (I really don't like passwords travelling the internet in plain-text form).

Best regards, Marco :-)

As a temporary solution, I wrote the script https://www.jfire.org/ohloh-ssl.php/projects/10703/widgets/projectpartnerbadge which fetches the content in the background, replaces the URLs (to force the image being loaded indirectly, too) and forwards it to the client. Unfortunately, though, ohloh.net answers differently to my script (sending some XML) than it does to the normal browser. How can I force ohloh to answer the same way? I already tried setting the User-Agent, but somehow it doesn't work. Either my User-Agent setting is ignored, or ohloh.net uses a different criteria to decide about its answer. Before I continue trying around in the dark - could you please give me some hint?

Hi Robin,

thanks a lot for the quick response and for setting up https! The URL https://www.ohloh.net/projects/10703/widgets/projectpartnerbadge is reachable now, but unfortunately, the img tag uses the http address instead of https - thus there's still a warning/error in many browsers.

Btw. the workaround works! Thanks for fixing this. But even though this works, I'd still prefer to directly include your script.

Best regards, Marco :-)

Hi Robin,

if you want to test yourself, use IE 6 and go to this page: https://www.jfire.org/modules/content/id_14.html

I've temporarily added all the widgets to this (not active) page using the widgets' https links.

IE6 will tell you that it contains unsecure objects and asks whether you want to load them. If you say "No", you'll see what's still http.

Btw., IE7 seems to be much worse; it seems to make it quite hard to see anything at all (I've not tried it myself, though, because I don't have IE7 - I only have been told).

Best regards, Marco :-)

A little bit of reflection suggests that this can be done by using relative URLs rather than absolute URLs in the widgets.

If the "Ohloh" widget ditched:

<div class='inset'> <h4>Ohloh</h4> <ul> <li> <a href='http://www.ohloh.net/about/us'>About</a> </li> <li> ...

And used:

<div class='inset'> <h4>Ohloh</h4> <ul> <li> <a href='/about/us'>About</a> </li> <li> ...

Wouldn't that have the desired effect? Without a transport (http or https) it defaults to the current one.

Hi Robin,

thanks for your quick reply! In the long run, it would be great, if it worked with directly embedding your scripts, but at the moment, our workaround works fine. We even pipe the "Project cost" widget through as can be seen here.

Thus, there's no need to hurry (stress is not healthy) :-)

Best regards, Marco :-)

Hi Stuart,

I totally agree and for most of the widgets, it would solve the problem. Unfortunately, though, some of the widgets use images from another host...

...but there's a solution coming into my mind right now: If ohloh wants to host the images somewhere else and still reference them locally (with relative paths), they could use rewrite-rules (not sure, though, whether nginx supports this - apache definitely does) and forward the browser from http[s]://www.ohloh.net/images/amazon/(.*) to http[s]://www.amazon.com/whatever/url/$1

Best regards, Marco :-)