CRM-16294 Openstreetmaps requires to switch off browser check for active content

    Details

    • Type: Improvement
    • Status: Done/Fixed
    • Priority: Major
    • Resolution: Fixed/Completed
    • Affects Version/s: 4.5, 4.6
    • Fix Version/s: 4.7
    • Component/s: None
    • Labels:
      None
    • Documentation Required?:
      None
    • Funding Source:
      Contributed Code

      Description

      Since Firefox Version 23 (or so), OpenStreetMap didn't work any more as a mapping provider in my environment. The reason is: Since that version, Firefox (as well as most of the other browsers) blocks active content loaded from http sites, when called from an https site.

      So, as CiviCRM should run on https, but calls the mapping script from http://openlayers.org/api/OpenLayers.js (without http"s"), this browser option prohibits the OpenStreetMap from being displayed.

      As a workaround, the default browser option can be changed, to allow the usage of active content (about:config > security.mixed_content.block_active_content = false) - but this creates a security issue which enables man-in-the-middle attacks. And better should not be used by default.

      A simple solution would have been to call the OpenLayers script via https. Unfortunately, this seems not to be available. However, for security reasons, we should try to fix this. Any ideas?

        Attachments

          Activity

          [CRM-16294] Openstreetmaps requires to switch off browser check for active content
          Detlev Sieber added a comment -

          As I found out, open layers says:

          "You are strongly encouraged to host your own build of OpenLayers. http://openlayers.org/api/ has no guaranteed uptime and runs on a slow server."

          See: https://github.com/openlayers/openlayers/issues/1025

          Seems, that OpenLayers should be incorporated into CiviCRM, if we want to have secure (and quick) access to OpenStreetMap. However, it is quite large package (11,7 MB unzipped) - maybe it would be better to create an extension that installs the OpenStreetMap support for those CiviCRM users, who need a secure and privacy friendly alternative to Google services?

          charlie added a comment -

          We're impacted by this as well. Currently, all mapping features do not work if civicrm is served from an https site.

          If you want to continue to not include OpenLayers with the CiviCRM distribution, you could use CDNjs or another cdn which supports https: https://cdnjs.com/libraries/openlayers.

          Replace http://openlayers.org/api/OpenLayers.js with https://cdnjs.cloudflare.com/ajax/libs/openlayers/2.13.1/OpenLayers.js.

          Ideally, you'd also switch to a https-supporting tile provider as well, such as http://developer.mapquest.com/web/products/open/map, with these tileserver URLS:

          https://otile1-s.mqcdn.com/tiles/1.0.0/map
          https://otile2-s.mqcdn.com/tiles/1.0.0/map
          https://otile3-s.mqcdn.com/tiles/1.0.0/map
          https://otile4-s.mqcdn.com/tiles/1.0.0/map

          Coleman Watts added a comment -

          The simplest fix would be to remove the protocol from the links. So replace http://openlayers.org... with //openlayers.org...
          Every major browser supports this. More information at http://stackoverflow.com/questions/6785442/browser-support-for-urls-beginning-with-double-slash

          If the other cdn is faster or more reliable, then switching that seems good too.

          Would you like to submit a PR for this?

          charlie added a comment -

          @ColemanWatts, protocol-relative links will not work, as openlayers.org does not support https for that endpoint. It's necessary to either switch to a CDN that supports ssl, or to ship OpenaLayers with civicrm.

          Coleman Watts added a comment -

          Ok thanks for the clarification. Would you like to submit a PR to switch the cdn links? I think this lightweight solution makes the most sense for core, and I would also be in support of an extension that runs openlayers locally.

          charlie added a comment -

          Added a PR to switch to cdnjs and use mapquest-open tiles: https://github.com/civicrm/civicrm-core/pull/5654

          David Greenberg added a comment -

          Coleman - can you review this once we get into 4.7 'mode'?

            People

            • Assignee:
              Coleman Watts
              Reporter:
              Detlev Sieber

              Dates

              • Created:
                Updated:
                Resolved: