Details
-
Type:
Improvement
-
Status: Done/Fixed
-
Priority:
Major
-
Resolution: Fixed/Completed
-
Affects Version/s: 4.5, 4.6
-
Fix Version/s: 4.7
-
Component/s: None
-
Labels:None
-
Documentation Required?:None
-
Funding Source:Contributed Code
Description
Since Firefox Version 23 (or so), OpenStreetMap didn't work any more as a mapping provider in my environment. The reason is: Since that version, Firefox (as well as most of the other browsers) blocks active content loaded from http sites, when called from an https site.
So, as CiviCRM should run on https, but calls the mapping script from http://openlayers.org/api/OpenLayers.js (without http"s"), this browser option prohibits the OpenStreetMap from being displayed.
As a workaround, the default browser option can be changed, to allow the usage of active content (about:config > security.mixed_content.block_active_content = false) - but this creates a security issue which enables man-in-the-middle attacks. And better should not be used by default.
A simple solution would have been to call the OpenLayers script via https. Unfortunately, this seems not to be available. However, for security reasons, we should try to fix this. Any ideas?
Attachments
Activity
We're impacted by this as well. Currently, all mapping features do not work if civicrm is served from an https site.
If you want to continue to not include OpenLayers with the CiviCRM distribution, you could use CDNjs or another cdn which supports https: https://cdnjs.com/libraries/openlayers.
Replace http://openlayers.org/api/OpenLayers.js with https://cdnjs.cloudflare.com/ajax/libs/openlayers/2.13.1/OpenLayers.js.
Ideally, you'd also switch to a https-supporting tile provider as well, such as http://developer.mapquest.com/web/products/open/map, with these tileserver URLS:
https://otile1-s.mqcdn.com/tiles/1.0.0/map
https://otile2-s.mqcdn.com/tiles/1.0.0/map
https://otile3-s.mqcdn.com/tiles/1.0.0/map
https://otile4-s.mqcdn.com/tiles/1.0.0/map
The simplest fix would be to remove the protocol from the links. So replace http://openlayers.org... with //openlayers.org...
Every major browser supports this. More information at http://stackoverflow.com/questions/6785442/browser-support-for-urls-beginning-with-double-slash
If the other cdn is faster or more reliable, then switching that seems good too.
Would you like to submit a PR for this?
@ColemanWatts, protocol-relative links will not work, as openlayers.org does not support https for that endpoint. It's necessary to either switch to a CDN that supports ssl, or to ship OpenaLayers with civicrm.
Ok thanks for the clarification. Would you like to submit a PR to switch the cdn links? I think this lightweight solution makes the most sense for core, and I would also be in support of an extension that runs openlayers locally.
Added a PR to switch to cdnjs and use mapquest-open tiles: https://github.com/civicrm/civicrm-core/pull/5654
Coleman - can you review this once we get into 4.7 'mode'?
As I found out, open layers says:
"You are strongly encouraged to host your own build of OpenLayers. http://openlayers.org/api/ has no guaranteed uptime and runs on a slow server."
See: https://github.com/openlayers/openlayers/issues/1025
Seems, that OpenLayers should be incorporated into CiviCRM, if we want to have secure (and quick) access to OpenStreetMap. However, it is quite large package (11,7 MB unzipped) - maybe it would be better to create an extension that installs the OpenStreetMap support for those CiviCRM users, who need a secure and privacy friendly alternative to Google services?