Tuesday, May 24, 2016

More HTTPS - housekeeping

My precvious post on HTTPS and how it affects blogs, including Moyhu, was one recording my hesitant process to just allow https links to this blog. But things are moving fast; Sou noted that Blogger had already made my decision redundant by making it the default. She linked to this notice, which also mentions that I could opt in to HTTPS redirect. I see that at at WUWT, there is annoyance at the effects that it has caused when Wordpress made redirect compulsory. I think this may be coming to Blogger.

I've taken this as a call to reorganize various other aspects of the blog to facilitate the implementation of https. I'll describe what is happening there - it should be seamless, but I ought to explain in advance in case of glitches.

HTTPS implementation issues

To recap, the issue is that Moyhu can now serve pages under https, if readers use that URL. But a HTTPS page will only show material that comes with a certificate, else it won't appear and may give scary warnings. So I have to make sure internally that all links to outside are via https.

HTML provides support for this via a Content Security Policy which you can declare with META tags. I think I can do those in the Blogger environment. The relevant one allows you to mandate that all http: links are replaced with https:. Unfortunately this doesn't mandate that the sources will provide certificates (ie supprt https), and often they won't.

Unfortunately for me, I keep much of my back-up material (images and scripts) on an Amazon S3 bucket. There are various ways that can be referenced in URL, and I used the short form that is also what is provided by the Cloudberry interface that I use. Amazon supports https (mostly), but requires a long form URL that basically specifies the region where the data is held. So it isn't just a matter of adding the s; I have to modify addresses.

Blogger editing

I have currently 563 posts and a dozen or so pages. Blogger requires that posts be written and amended through their very primitive editor, so that is a tedious process. I would very much like to just do a global search-replace, but that isn't supported. I have some other lingering issues - I would like to consolidate a number of platforms I have used in the past, such as TinyPic. Moyhu has been going for over 6 years now, and some of these platforms are shaky.

I am implementing a new system which bypasses this, by serving the page content via Javascript. That is my part only, not the comments. That means I can keep the content on my Amazon bucket, which a Cloudberry app allows me to see as just a local drive. Though I actually keep a master copy on my computer, from which I update to Amazon. The advantage is that I can now do global editing on the blog. It impels me to organise stuff more systematically, which is taking a while. And I do have to make one pass through the editor to introduce the Javascript. So this will happen gradually - I'm starting from 2009. I also have to work recursively through the scripts, which call other scripts, some of which may do addressing.

The plan

It will take a few days to work through the JS editing. I think I am close with the global replacements. Unless I mess up the JS, reader who connect with http (still recommended) shouyldn't notice anything. At some stage, the critical step of introducing the https redirect will be ventured. I hope you won't notice.

Anyway, this will be the first post to be generated by the JS system.



3 comments:

  1. Nick, I notice that with Javascript disabled (NoScript plugin) the text of this article is blank. Why is that - I'm sure this wasn't the case before...

    ReplyDelete
    Replies
    1. Ah yes. I mentioned in the article that I was planning to have all posts now served by Javascript, and this would be the first to be actually posted that way. This led to other problems, and I'm not doing that any more; this post remained the only one. I'll change that.

      Delete
    2. Ah, ok. When you said served by Javascript I took that to mean that Javascript was running on the server - not something I'm familiar with, but there's a lot that isn't these days.

      Delete