Page 1 of 1

Product/product pages in SSL, new Chrome security warning for input fields

Posted: Fri Aug 18, 2017 8:42 am
by thomash2
From October Chrome is going to start giving "NOT SECURE" warnings on pages that contain text input fields (such as < input type="text" > or < input type="email" >). Product pages with options and quantity input fields will have this problem since by default the product/product urls are non SSL (at least for Opencart versions before 2.0).

What's the best way to change all product pages to SSL?

I thought maybe something like this?

Code: Select all

<file name="system/library/url.php">  
		<operation>
			<search position="replace"><![CDATA[
				if ($connection ==  'NONSSL') {
			]]></search>
			<add><![CDATA[
				if ($route ==  'product/product') {
					$url = $this->ssl;
				} elseif ($connection ==  'NONSSL') {
			]]></add>
		</operation>
</file>
This is assuming that search module is disabled on all pages, and email form has been removed from the contact page, so that there are no other text input fields on other pages that are not SSL by default. Although we would still have to rewrite all non https direct urls to product pages in htaccess, then might as well force all urls to SSL?

Would it be simpler to replace:

Code: Select all

if ($connection ==  'NONSSL') {
			$url = $this->url;
		} else {
			$url = $this->ssl;	
		}
with

Code: Select all

$url = $this->ssl;
And in htaccess:

Code: Select all

RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} ^domain.com$ [NC]
RewriteRule ^(.*) https://www.domain.com/$1 [R=301,L]

Re: Product/product pages in SSL, new Chrome security warning for input fields

Posted: Fri Aug 18, 2017 10:48 am
by thomash2
I would prefer not using SSL on pages that don't have input text fields, because I assume SSL will affect bandwidth?

The vqmod above does successfully change all links to SSL for product pages (1.5x), but how do I force visitors to https if typing a http direct link to product pages? I'm using SEO so there is no common text in the URL to search for.

I've also found that http direct links to accounts and checkout do not redirect to https. And the shopping cart is http and also has http links, triggering Chrome warnings. I fixed this by:

htaccess

Code: Select all

RewriteCond %{HTTPS} =off
RewriteRule ^account https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

RewriteCond %{HTTPS} =off
RewriteRule ^checkout https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
adding extra condition for checkout/cart in the vqmod

Code: Select all

if ($route ==  'product/product' || $route== 'checkout/cart') {

Re: Product/product pages in SSL, new Chrome security warning for input fields

Posted: Fri Aug 18, 2017 9:56 pm
by victorj
Ssl on every page Does not affect bandwith of speed.
Considering the new rules dictated by Google every shoppingcart should run totally under ssl.
Google Will start to penalize shops that are not using ssl site wilde.

Re: Product/product pages in SSL, new Chrome security warning for input fields

Posted: Sat Oct 14, 2017 7:48 am
by Dhaupin
Using htaccess can help, but it will not solve this issue in the long wrong. The link library generating those urls is insecure most of the time. Chrome is saying this because your form POST is going to an insecure endpoint that may be generated automatically in the future. Because Opencart doesnt have a proper library support for SSL, you may get more of these types of warnings as browsers require more markup to use https.

The good news is that we have modules to solve this, enforce SSL everywhere, and add other securities. You can find them in the marketplace here:

1.5.x - https://www.opencart.com/index.php?rout ... n_id=19396
3.x - https://www.opencart.com/index.php?rout ... n_id=32053