straightlight wrote:It has been known that the currency from forms may not redirect to its target due to a hidden input form which most of web providers these days may decline due to CSRF vulnerabilities. It is also not in common programming practice to generically assign a post URL as a hidden field from an HTML form to redirect the browser to another location.dragonfly-ie wrote:@straightlight et al: Is there a fix to stop WARNING on front page with SSL?
The page at https://yoursite.com/ contains a form which targets an insecure URL http://yoursite.com/common/currency/currency.
line 41 index-page: <form action="http://yoursite.com/common/currency/currency" method="post" enctype="multipart/form-data" id="form-currency">
I can, however, recommend the use of the CSRF protection form to see if that will solved the issue. It is also compatible over SSL but not yet tested on TLS encryption.
Contribution: http://www.opencart.com/index.php?route ... on_id=4773
Take note that this contribution does not reflect on any Opencart version since it is a globalized library. The only difference on its integration is with the new nowadays functionality of Opencart v2.2.0.0 and above into the framework but is still NOT an obligation to integrate it globally into your store as I do rather recommend that you initiate this library directly into your catalog/controller/common/currency.php file into the index() method. Then, as per my documentation indicates, to add the echo line right below the: <form tag line into your catalog/view/theme/<your_theme>/template/common/currency.tpl file.
Afterwards, clear out your cache navigation. Close the browser, re-open the browser and see if that solves the issue.
Thanks a lot for your concise explanation @straightlight
Considering the fact, cooperations pushing for TLS, I would be interested to see testing on TLS encryption before implementing your suggested changes.
Thx again.
