Uploaded image for project: 'CiviCRM'
  1. CiviCRM
  2. CRM-16294

Openstreetmaps requires to switch off browser check for active content

    Details

    • Type: Improvement
    • Status: Done/Fixed
    • Priority: Major
    • Resolution: Fixed/Completed
    • Affects Version/s: 4.5, 4.6
    • Fix Version/s: 4.7
    • Component/s: None
    • Labels:
      None
    • Documentation Required?:
      None
    • Funding Source:
      Contributed Code

      Description

      Since Firefox Version 23 (or so), OpenStreetMap didn't work any more as a mapping provider in my environment. The reason is: Since that version, Firefox (as well as most of the other browsers) blocks active content loaded from http sites, when called from an https site.

      So, as CiviCRM should run on https, but calls the mapping script from http://openlayers.org/api/OpenLayers.js (without http"s"), this browser option prohibits the OpenStreetMap from being displayed.

      As a workaround, the default browser option can be changed, to allow the usage of active content (about:config > security.mixed_content.block_active_content = false) - but this creates a security issue which enables man-in-the-middle attacks. And better should not be used by default.

      A simple solution would have been to call the OpenLayers script via https. Unfortunately, this seems not to be available. However, for security reasons, we should try to fix this. Any ideas?

        Attachments

          Activity

            People

            • Assignee:
              colemanw Coleman Watts
              Reporter:
              detsieber Detlev Sieber
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: