-
Notifications
You must be signed in to change notification settings - Fork 89
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Chrome blocking some downloads when the external URL for a resource is provided in HTTP #2760
Comments
Thank you for this detailed issue. I see that we have the same issue on data.gouv.fr, ex: https://www.data.gouv.fr/fr/datasets/liste-des-points-de-recharge-de-la-carte-pastel/. Some inputs on this issue and the possible implementation:
Let me know if this is clear enough for you. |
@maudetes thanks for your answer. We will check the |
Thank you for the script! I'd be interested to know how you've dealt with the |
We have tried for ourselves to upgrade the urls to |
We have tried removing http from the |
Indeed! We actually have a proper error message with the validation error reason, that is replaced with this Line 141 in 63f7848
We could return the full validation error instead (they aren't localized though). |
It would make sense. Could the internationalization be done directly in uris.py? The message "Invalid URL" is not false, but not precise enough. It could be kept, and we could extend the error message with some extra informations. So the error message coming from the validator would be: "Invalid scheme http". I think it would be good to clarify what the authorised schemes are. For example: 'Invalid URL: invalid scheme "http". The authorised schemes in an URL are: "https", "ftp", "ftps"'. |
Seems feasible indeed! We can use Let us know if you try it out, else we can plan this later to pick it for future sprint iterations. |
Here is a draft PR which has not been tested yet (I have not been able to install the development environment so far): |
Chrome blocks the downloads of some resources. These resources are external and their URL is in HTTP and not HTTPS.
Detailed Description
More details about the change in Chrome here:
https://blog.chromium.org/2020/02/protecting-users-from-insecure.html
This happens only for resources which should be downloaded by the browser (if the resource is a web page, e.g. for a documentation, the problem does not happen)
How to reproduce
You can for example check this dataset in Chrome:
https://data.public.lu/en/datasets/57068838a30b1b33caf65976/
If you click on the download button on the first resource (in ods format), Chrome will block the download with the following error in the console:
Mixed Content: The site at 'https://data.public.lu/' was loaded over a secure connection, but the file at 'https://elections.public.lu/opendata/referendum/2015/referendum-2015-ods.ods' was redirected through an insecure connection. This file should be served over HTTPS. This download has been blocked. See https://blog.chromium.org/2020/02/protecting-users-from-insecure.html for more details.
If we change the URL by replacing http by https, the issue is fixed.
The same problem happens also with our udata 4 instance.
Context
Some users are complaining because they cannot download some files on our udata instance. We still have lots of old datasets with external resources in HTTP, and nothing prevent data producers to add new resources with HTTP urls.
Possible Implementation
Your Environment
The text was updated successfully, but these errors were encountered: